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Abstract. The Ambient Logic (AL) has been proposed for expressing properties of pro- 
cess mobility in the calculus of Mobile Ambients (MA) , and as a basis for query languages 
on semistructured data. 

We study some basic questions concerning the discriminating power of AL, focusing on 
the equivalence on processes induced by the logic (=l). As underlying calculi besides MA 
we consider a subcalculus in which an image-finiteness condition holds and that we prove 
to be Turing complete. Synchronous variants of these calculi are studied as well. 

In these calculi, we provide two operational characterisations of =l' a coinductive one 
(as a form of bisimilarity) and an inductive one (based on structual properties of processes). 
After showing =l to be stricly finer than barbed congruence, we establish axiomatisations 
of =h on the subcalculus of MA (both the asynchronous and the synchronous version), 
enabling us to relate =l to structural congruence. We also present some (un)decidability 
results that are related to the above separation properties for AL: the undecidability of 
=t on MA and its decidability on the subcalculus. 



This paper is devoted to the study of the Ambient Logic [14] (AL), a modal logic 
for expressing properties of Mobile Ambients [13] (MA) processes. The model of Mobile 
Ambients is based on the notion of locality (an ambient is a named locality), and interaction 
in MA appears as movement of localities. Localities may be nested, as in a[P \ b[Q] \ c[R]], 
which describes an ambient a containing a process P as well as two sublocalities named b 
and c. 
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An ambient can be thought of as a labelled tree. The sibling relation on subtrees 
represents spatial contiguity; the subtree relation represents spatial nesting. A label may 
represent an ambient name or a capability; moreover, a replication tag on labels indicates 
the resources that are persistent. The trees are unordered: the order of the children of 

dcf 

a node is not important. As an example, the process P = !a[in c] | open a.6[0] can be 
thought of as a tree with open a. b[0] on the roots node and in c on a child node labeled 
with a. The replication \a indicates that the resource a[in c] is persistent: unboundedly 
many such ambients can be spawned. By contrast, open a is ephemeral: it can open only 
one ambient. 

Syntactically, each tree is finite. Semantically, however, due to replications, a tree is an 
infinite object. As a consequence, the temporal developments of a tree can be quite rich. 
The process P above (we freely switch between processes and their tree representation) has 
only one reduction, to in c | !a[in c] | b[0]. However, the process !a[in c] | !open a.6[0] can 
evolve into any process of the form 

in c | ... | in c | 6[0] | ... | b[0] | la[ in c] | !open a. b[ ] . 

In general, a tree may have an infinite temporal branching, that is, it can evolve into an 
infinite number of trees, possibly quite different from each other (for instance, pairwise 
behaviourally unrelated). Technically, this means that the trees are not image-finite, where 
image-finite indicates a finiteness on the temporal branching of a process (we will come back 
to the definition of image-finiteness later). 

Although the MA calculus often includes name restriction, {un)P, reminiscent of the 
pi-calculus, we will omit this construction (unless we mention it explicitly), and will refer 
to public MA, or simply MA, for the calculus without name restriction. 

In summary, MA is a calculus of dynamically-evolving unordered edge-labelled trees. 
AL is a logic for reasoning on such trees. The actual definition of satisfaction of the formulas 
is given on MA processes quotiented by a relation of structural congruence, =, which equates 
processes with the same tree representation. (This relation is similar to Milner's structural 
congruence for the 7r-calculus [28].) 

AL has also been advocated as a foundation of query languages for semistructured 
data [9]. Here, the laws of the logic are used to describe query rewriting rules and query 
optimisations. This line of work exploits the similarities between dynamically-evolving 
edge-labelled trees, underlying the ambient computational model, and standard models of 
semistructured data. 

AL has a connective that talks about time, that is, how processes can evolve. The 
formula O A is satisfied by those processes with a future in which A holds. The logic has 
also connectives that talk about space, that is, the shape of the edge-labelled trees that 
describe process distributions, the formula n[A] is satisfied by ambients named n whose 
content satisfies A (read on trees: n[A] is satisfied by the trees whose root has just a 
single edge n leading to a subtree that satisfies A); the formula Ai \ A2 is satisfied by 
the processes that can be decomposed into parallel components Pi and P2 where each Pi 
satisfies Ai (read on trees: .4.1 | A2 is satisfied by the trees that are the juxtaposition of two 
trees that respectively satisfy the formulas A\ and ^.2); the formula is satisfied by the 
terminated process (on trees: is satisfied by the tree consisting of just the root node). 

AL is quite different from standard modal logics. First, the latter logics do not talk 
about space. Secondly, they have more precise temporal connectives. The only temporal 
connective of AL talks about the many-step evolution of a system on its own. In standard 



SEPARABILITY IN THE AMBIENT LOGIC * 



3 



modal logics, by contrast, the temporal connectives also talk about the potential interactions 
between a process and its environment. For instance, in the Hennessy-Milner logic [18], the 
temporal modality (ft). A is satisfied by the processes that can perform the action \i and 
become a process that satisfies A. The action fi can be a reduction, but also an input or 
an output. 

In this paper we study the equivalence between MA processes induced by the logic, 
written =£,: we write P=lQ if P and Q satisfy exactly the same formulas. Our main goal 
is to understand how much the logic discriminates between processes, i.e., to study the 
separating power of =l- We show that =l is a rather fine-grained relation. Related to 
the problem of the equivalence induced by the logic are issues of decidability, that we also 
investigate. 

The central technical device we rely on to analyse =l is a characterisation as a form 
of bisimilarity, that we call intensional bisimilarity and write ~j nt . The bisimulation game 
defining ~; nt takes into account the interaction possibilities of agents, and also includes 
clauses to observe the spatial structure of processes, corresponding to the logical connectives 
of emptyness, spatial conjunction, and ambient. Intensional bisimilarity is to AL what 
standard bisimilarity is to Hennessy-Milner logic. In particular, ~ int can be used to assess 
separability and expressiveness properties of the modal logic it captures. For instance, the 
definition of ~i nt reveals that, in some cases, logical observations are unable to distinguish 
between an agent entering an ambient, and the same agent going in and out of this ambient 
before finally entering it. We call this phenomenon stuttering. Stuttering can be seen as 
the spatial counterpart of the following 'eta law' for the asynchronous 7r-calculus [31] : 

a(x).(a{x) | a(x).P) = a(x).P 

(a similar equality also holds for communication in MA). Indeed, stuttering disappears when 
the asynchronous movements are replaced by synchronous ones, as is the case, e.g., in the 
model of Safe Ambients [25] . 

Something worth stressing is that our characterisation results are established on the full, 
public, MA calculus in which, as mentioned earlier, terms need not be image-finite, and with 
respect to a finitary logic. We are not aware of other results of this kind: characterisation 
results for a bisimilarity with respect to a modal logic in the literature (precisely, the 
completeness part of the characterisations) rely either on an image-finiteness hypothesis 
for the terms of the language, or on the presence of some infinitary constructs (such as 
infinitary conjunctions) in the syntax of the logic. Technically, the proof of our result is 
based on the definition of some complex modal formulas. To make it easier to understand 
our approach, we first present the main structure of the proof in a subcalculus without 
infinite behaviours; we then move to the full public MA calculus to show how replication 
is handled. Our proof exploits two main technical notions. The first idea is to introduce 
an induction principle on processes, that allows us to provide an inductive characterisation 
of — int- We then introduce modal formulas whose role is, intuitively, to establish that only 
finitely many terms have to be taken into consideration when exploring the outcomes of a 
given process. 
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Exploiting ~i n t, we relate logical equivalence with two important equivalences for pro- 
cesses. The first equivalence is the standard extensional equivalence, namely barbed con- 
gruence (~). Here the main result is that logical equivalence is strictly finer. As counterex- 
amples to the inclusion ~C = Li we have found three axiom schemata. We do not know 
whether they are complete, that is, if they exactly describe the difference between the two 
relations on MA. 

We then compare logical equivalence with a second relation, namely structural con- 
gruence (=), an intensional and very discriminating equivalence. We establish an axioma- 
tisation of logical equivalence on a rather broad class of processes, called MAj F (defined 
in 15. ip . The definition of MAj F relies on an image-finiteness constraint that is lighter than 
the usual notion of image-finiteness in process calculi, because only certain subterms of 
processes are required to give rise to finitely many reducts. This subcalculus is shown to 
be Turing complete in Section [6J We are not aware of other axiomatisations of semantic 
equivalences (defined by operational, denotational, logical, or other means) in higher-order 
process calculi. Our result says that on MAf F , =l almost exactly coincides with structural 
congruence, the only difference being an 'eta law' for communication of the form men- 
tioned above. This axiomatisation does not hold in the full MA, for instance because of the 
phenomenon of stuttering. 

Communication in MA is asynchronous, in the sense that outputs have no continuation. 
We show in 15.21 that if asynchronous communication is dropped in favour of synchronous 
communication, then logical equivalence exactly coincides with structural congruence on 
the synchronous version of MAj F . 

The comparisons reveal the intensional flavour of AL. Although the logic has operators 
for looking into the parallel structure of processes, the intensionality of the logic was far 
from immediate, essentially for two reasons. The first reason is that not all syntactical 
constructions of MA are reflected in the logic, which entirely lacks operators for capabilities, 
communications, and replication. The second reason is that we adopt a weak interpretation 
for reductions (i.e., we abstract from actions internal to the processes); this makes it possible 
to handle infinite processes, but at the same time entails a loss of precision when describing 
properties of processes. In such a setting it is therefore surprising that =l is actually so 
close to =, also because = is a very strong relation - a few axioms are the only difference 
with syntactic identity. 

Being very close to a syntactical description of processes, the relation of structural 
congruence is decidable. As a consequence, in the subcalculus of MA where we show that 
=L coincides with =, we can also derive decidability for =l- However, the frontier with 
undecidability for =l is very subtle: we establish undecidability of =l in the full calculus 
by encoding the halting problem of a Turing machine. This boils down in our setting to 
specifing Turing machines in Mobile Ambients and building a scenario where the halting of 
a machine corresponds to the existence of reduction loops, i.e., of processes P, Q such that 
P reduces to Q and Q reduces to P. This encoding is a challenging 'programming task', 
since the process must return to its initial state modulo =l; this is a demanding condition, 
since, as mentioned above, =l is a rather strong relation. For instance, one has to be very 
precise in garbage collecting dead code during the execution of the Turing machine. 

Other related work Although not directly related from a technical point of view, a work 
worth mentioning is |15j . In that work, models of (enrichments of) relevant and linear 
logic are defined using Milner's SCCS. In particular, the interpretation of implication is 
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reminscent of the definition of satisfaction for the guarantee operator (t>) in AL. Dam 
however explicitely renounces giving sense to formulas that talk about the structure of 
processes, as is the case in the Ambient Logic. 

As stated before, intensional bisimilarity is to AL what bisimilarity is to Hennessy- 
Milner logic. Approximants of intensional bisimilarity, that will be needed in our proofs 
of completeness, may also be expressed in terms of Ehrenfeucht-Fraisse games for spatial 
logics, as shown in [16]. These equivalences are standard devices to establish expressiveness 
results. For instance, they have been exploited to obtain adjunct elimination properties of 
spatial logics in [H [26] . 

This work is a revised and extended version of parts of [30] and [20] , precisely, those 
parts that deal with issues related to separability of AL. A companion paper [21] studies 
expressiveness issues. By the time the writing of the present paper was completed, a few 
papers have appeared that make use of results or methods presented here. These are works 
that study the intensionality of spatial logics or decidability properties. Works related to the 
intensionality of spatial logics include [8] where the spatial logic is static, and [3 [5], where 
the logic is applied to reason on calculi that feature a simpler notion of space, with a strong 
interpretation of the temporal modality. A spatial logic for the 7r-calculus satisfying the 
property that logical equivalence coincides with behavioural equivalence has been studied 
in [19]. This logic is defined by removing modal operators like or spatial conjunction, and 
keeping only 'contextual' operators (guarantee and revelation adjunct). A similar result, but 
for a logic that includes spatial conjunction and 0, has been established for a process calculus 
encompassing a form of distribution in [7J. Works related to the decidability properties of 
Mobile Ambients include [U [27], that address questions of termination, and [2[ [4], that 
consider reachability in syntactic subcalculi of MA (in the sense that these subcalculi are 
obtained by eliminating some syntactical constructs). It can be noted that our analysis 
of decidability (in Section [6]) allows us to deduce a property in terms of reachability: as 
discussed above, we establish that one cannot detect the presence of reduction loops (i.e., 
the existence of processes P and Q that reduce to eachother). This in particular entails 
undecidability of reachability. 

Structure of the paper. We define the Mobile Ambients calculus and the Ambient Logic in 
Section [2j Section [3] is devoted to the study of intensional bisimilarity, ~i nt . We show that 
~i n t is included in logical equivalence, =l. Completeness, i.e., the reverse inclusion, is first 
proved only for finite MA processes. For this, we need a certain number of expressiveness 
results about AL from [21], which are collected in !3.3l The completeness proof for the whole 
calculus is presented in Section HJ which completes our study of ~j n t by finally estabilishing 
that ~; nt and =l coincide. The inductive characterisation of ~j n t is given in 14.11 and the 
logical characterisation of the outcomes of a process in 14.31 We compare =l with barbed 
congruence and structural congruence in Section The subcalculus MA| F , on which we 
establish an axiomatisation of =l, is also introduced here. Subsection 15.21 explains how our 
results are modified when moving to synchronous Ambients. We present our encoding of 
Turing machines into MAf F in Section [6l and give concluding remarks in Section [71 

2. Background 

This section collects the necessary background for this paper. It includes the Mobile 
Ambients calculus [13] syntax and semantics, and the Ambient Logic [11] . 
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2.1. Syntax of Mobile Ambients. We recall here the syntax of Mobile Ambients (MA) 
(we sometimes also call this calculus the Ambient calculus). In the calculus we study, only 
names, not capabilities, can be communicated; this allows us to work in an untyped calculus. 

The calculus is asynchronous; a synchronous extension will be considered in Section [5j 
As in [9l [TO], the calculus has no restriction operator for creating new names. 

Table [2TT1 shows the syntax. Letters n,m,h range over names, x,y,z over variables; r\ 
ranges over names and variables. Both the set of names and the set of variables are infinite. 
The expressions in rj, out 77, and open rj are the capabilities. Messages and abstractions 
are the input/output (I/O) primitives. A guard is either an abstraction or a capability. 
A process P is single iff there exists P' such that either P = cap. P' for some cap or 
P = n[P'] for some n). 

Abstraction is a binding construct, giving rise to the set of free variables of a process 
P, written fv(P). We ignore syntactic differences due to alpha conversion. We write fn(P) 
for the set of (free) names of process P. A closed process has no free variable. Unless 
explicitely stated, we use P,Q,... to range over closed processes in our definitions and 
results. Substitutions, ranged over with a, are partial functions from variables to names. 
Given a, we write Pa to denote the result of the application of a to P. Given two processes 
P and Q, we say that a is a closing substitution for P and Q (in short, a closing substitution) 
if Pa and Qa are closed processes. We also introduce another notation: P{ n /x} stands for 
the capture avoiding substitution of variable x with name n in P, and P{ n /m} stands for 
the process obtained by replacing name m with name n in P. Given n processes P±, . . . , P n , 
we sometimes write IIi<j< n Pj for the parallel composition P\ | . . . | P n . 

Process contexts (simply called contexts) are processes containing an occurrence of a 
special process, called the hole. We use C to range over process contexts, and C{| P |} stands 
for the process obtained by replacing the hole in C with P. Given two processes P and Q, 
a closing context for P and Q (in short, a closing context) is a context C such that C{| P |} 
and C{| Q |} are closed processes. 



h, k, , 
x,y,. 
v 



cap 



n, m Names 

Variables 

Names U Variables 

Capabilities 
= i n 77 (enter) 
out rj (exit) 
open rj (open) 



P,Q,R 





P I Q 
IP 

cap. P 

V [P] 
M 

(x) P 



Processes 
(nil) 

(parallel) 

( replication ) 

(prefixing) 

(ambient) 

(message) 

(abstraction) 



Processes with the same internal structure are identified. This is expressed by means of 
the structural congruence relation, =, the smallest congruence such that the following laws 
hold: 



P I = P 
IP = IP I P 



P\Q = Q\P 
!0 = 



P\(Q\R) = (P\Q)\R 



!(P I Q) = \P\\Q HP = IP 

As a consequence of the results presented in |32j . which works with a richer calculus 
than the one we study, we have: 
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Red-Open 



open n.P \ n[Q] — ► P \ Q 

n[inm.Pi | P 2 } \ m[Q] — ~> m[n[P 1 \P 2 ]\Q] Red_In 

m[n[ out m. Pi | P 2 ] \ Q] — > n[P 1 | P 2 } \ m[Q] Red-0ut 

P — > P' 

Red-Corn — — — — - Red-Par 



{77} | (x) P — > P{V/x} P\Q^P\Q 

p ^ pi p — pi pi > pn pn — pin 

Red-Amb — = — = Red-Str 



n[P] — >n[P'] P — >P 

Table 1: The rules for reduction 



Theorem 2.1. = is decidable. 

Definition 2.2 (Finite process). A process P is finite iff there exists a process P' with no 
occurrence of the replication operator such that P = P 1 . 



2.2. Operational Semantics. The semantics of the calculus is given by a reduction re- 
lation — >. We shall sometimes use the phrase 'r-transitions' to refer to — > transitions. 
The corresponding rules are given in Table 12.21 The reflexive and transitive closure of — ► 
is written 

Behavioural equivalence is defined using reduction and observability predicates ij. n that 
indicate whether a process can liberate an ambient named n: formally, P JJ- n holds if there 
are P' , P" such that P =^ n[P'] \ P" . 

Definition 2.3 (barbed congruence, [291 [23]). A symmetric relation 1Z between processes 
is a barbed bisimulation if P1ZQ implies: 

(1) whenever P P', there exists Q' such that Q^^Q' and P'IZQ'; 

(2) for each name n, P J| n iff Q JJ- n . 

Barbed bisimilarity, written ~ , is the largest barbed bisimulation. Two processes P and 
Q are barbed congruent, written P ~ Q, if C{| P |} ~ C{| Q |} for all closing contexts C. 



2.3. Ambient Logic. The Ambient Logic (AL), is presented in Table [2]). We use an infinite 
set of logical variables, ranged over with x, y, z; rj ranges over names and variables. (We can 
use the same syntax as for variables and names of the Ambient calculus, since formula and 
process terms are separate.) We use A,B, . . . ,T , T' , ... to range over formulas. 

The logic has the propositional connectives, T, —*A, AV B, and universal quantification 
on names, \/x. A, with the standard logical interpretation. The temporal connective, OA 
is considered with a weak interpretation. The spatial connectives, 0, A \ B, and ??[^4], are 
the logical counterpart of the corresponding constructions on processes. A > B and A@rj 
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A 



T 

-kA 
AvB 
Vx. A 
O A 


.A | B 
A@rj 
A > B 



(true) classical logic 

(negation) 

( disjunction ) 

(universal quantification over names) 



(sometime) 
(void) 
( edge) 

( composition ) 
(localisation) 
(linear implication) 



temporal and spatial connectives 



logical adjuncts 



Table 2: The syntax of logical formulas 



are the adjuncts of A \ B and f?[.4], in the sense of being, roughly, their inverse (see below). 
A{n/x} is the formula obtained from A by substituting variable x by name n. A formula 
without free variables is closed. Along the lines of the definition of process contexts, we 
define formula contexts as formulas containing an occurrence of a special hole formula. 

We use AQ • |} to range over formula contexts; then A\\ B |} stands for the formula 
obtained by replacing the hole in AQ • |} with B. 

Definition 2.4 (Satisfaction). The satisfaction relation is defined between closed processes 
and closed formulas as follows: 

P \= T 
P |= V x . A 
P^^A 

PMi I M 
P^AvB 

P |= n[A] 
P \= 
P h OA 
P |= A@n 
P^AoB 

The logic in [11] has also a somewhere connective, that holds of a process containing, 
at some arbitrary level of nesting of ambients, an ambient whose content satisfies A. For 
the sake of simplicity, we omit this connective, but we believe that the addition of this 
connective would not change the results in the paper (in particular Theorem 13.291 can be 
adapted easily). 



def 
def 
def 
def 
def 
def 
def 
def 
def 
def 



always true 

for any n, P \= A{n/x} 
not P \= A 

3Pi,P 2 s.t. P = Pi | P 2 and P \=Ai, i = 1, 2 

P |= A or P |= B 

3P' s.t. P = n[P'} and P' \= A 

P = 

3P' s.t. P^P' and P' \= A 
n[P] \= A 

VP, R\=A implies P \ R \= B 



Lemma 2.5 ([II]). If P = Q and P \= A, then also Q \= A. 
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We give V the least syntactic precedence, thus A\ > A2 V A3 reads (A± > A2) V A3, 
and A\ > (OA2 V 0^3) reads A\ \> ({OA2) V (OA3)). We shall use the following standard 
duals of disjunction and universal quantification: 

A A B = f -.(-..4 V -iB) 3x.A = ^Vx. ^A 

Definition 2.6 (Logical equivalence). For processes P and Q, we say that P and Q are 
logically equivalent, written P=lQ, if for any closed formula A it holds that P \= A iff 
Q h A 

The remainder of this paper is devoted to the study of =l on MA and on some subcalculi 
of MA. 



3. Intensional BISIMILARITY 

In order to be able to carry out our programme for =£ , as discussed in the introduction, 
we look for a co-inductive characterisation of this relation, as a form of labelled bisimilarity. 
Before introducing the bisimilarity relation, we need to define labelled transitions on MA, 
and a few derived relations such as the stuttering relation. 



3.1. Definitions. 

3.1.1. Labelled transitions and stuttering. 

Definition 3.1. Let P be a closed process. We write: 

• P ^5 P', where cap is a capability, if P = cap. P\ \ P2 and P' = P\ \ P2. 

• P P' if P = {n} I P'. 



• P ^ P' if P = (x) Pi I P 2 and P' = Pi{ n /x} | P 2 . 

• P =^=> P' , where fi is one of the above labels, if P A ==? P' (where ==>- A is 
relation composition). 

• (stuttering) P ( A/l ' A/ gj = 4>p / if there is i > 1 and processes Pi, . . . ,Pj with P = P\ and 
P' = P such that P r ^ ^ P r+1 for all 1 < r < i. 

• Finally, =^ is a convenient notation for compacting statements involving capability 

(in n) . (out n,in n)* , (out n) . (i n n.out n)* , (°pen n> . 

transitions. is - similarly ==? is - and is ==>. 

We discuss in Example 13. 31 below why stuttering is needed to capture logical equivalence 
in MA. 

3.1.2. Intensional bisimilarity, ~ j nt . We present here our main labelled bisimilarity, inten- 
sional bisimilarity, written ~ ; nt . This relation will be used to capture the separating power 

Of =L- 

Intuitively, the definition of ~i n t is based on the observations made available by the logic 
either using built-in operators or through derived formulas for capabilities (see below). 

Definition 3.2. A symmetric relation 1Z on closed processes is an intensional bisimulation 
if P1ZQ implies: 
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(1) If P = Pi | P2 then there are Qi, Q2 such that Q = Q\ \ Q2 and PilZQi, for i = 1,2. 

(2) If P = then Q = 0. 

(3) If P — ► P' then there is Q' such that Q Q' and PftQ'. 

(4) If P ! ™ P' then there is Q' such that Q ^ (out n,in n)*, q, &nd p/^g/ 

(5) if P P then there is Q' such that Q (in n '° ut nV > Q' and P'lZQ'. 

(6) If P ^3 P then there is Q' such that Q Q' and P'TZQ'. 

(7) If P H P then there is Q' such that Q M- Q' and P'TZQ'. 

(8) If P ^ P then there is Q' such that Q \ {n} Q' and P'TZQ' . 

(9) If P = n[P] then there is Q' such that Q = n[Q'] and P'^Q'. 

Intensional bisimilarity, written ~ j nt , is the largest intensional bisimulation. The definition 
of — int induces a relation ~ ° nt , defined on open terms by saying that P ~? nt Q iff for any 
closing substitution a, Pa ~i nt Qa. 

The definition of ~j nt has (at least) three intensional clauses, namely JTJ, ([2]) and Q, 
which allow us to observe parallel compositions, the terminated process, and ambients. 
These clauses correspond to the intensional connectives '|', '0' and 'n[-]' of the logic. The 
clause ([8]) for abstraction is similar to the input clause of bisimilarity in asynchronous 
message-passing calculi [I]. This is so because communication in MA is asynchronous (see 

also Subsection 15.21 below). Note that, using notation =$■ introduced above, items 4, 5, 
and 6 can be replaced by the following one: 

• if P c ^ P', then there is Q' such that Q Q' and P'TZQ'. 

As we have pointed out above, stuttering is used to capture some transitions of processes 
that the logic cannot detect. It gives rise to particular kinds of loops, that we illustrate in 
the following example. 

Example 3.3 (Stuttering Loop). Consider the processes 

P = f !open n. in n. out n. in n. out n. n[0] \ n[0] 
Q = f !open n. in n. out n. in n. out n. n[0] j in n. out n. n[0] . 
We have the following loop, modulo stuttering: 

p (in n,out n)* ^ q (in n,out n)* ^ p 

The existence of such pairs of processes that reduce one to each other modulo stuttering 
will play an important role in the axiomatization of =l- We call such a situation a loop. 
It holds that P ^- mt Q; however, since P ('" g j gal _g}_> > q (m n,out ^}_^ p^ nav e 

out n. P ~i nt out n. Q . 

Actually, out n.P « out n.Q., that is, these two processes are extensionally equivalent, 
and they are also equated by the logic (i.e., out n.P=L out n.Q). But they would not be 
intensionally bisimilar without the stuttering relations. 

The reason for this peculiarity is that, intuitively, these processes have the same be- 
haviour in any testing context. To see why the extra capabilities of Q do not affect its 
behaviour, consider a reduction involving out n. P, of the following shape: 

n[m[ out n.P \ R}] — > n[0] | m[P \ R] . 
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Process out n. Q can match this transition using three reductions: 

n[m[out n. Q \ R] ] — > n[0] | m[\r\ n. out n. n[0] | Q' \ R] 
— > n[m[out n.n[0] \ Q' \ R] } 
— ► n[0] | m[P | R], 

where Q' is !open n. in n. out n. in n. out n. n[0]. Conversely, the process out n. Q may be 
involved in the following scenario: 

n[m[ out n.Q | i?]] — > n[0] | m[Q | i?] , 

and the process out n. P can mimic this reduction. 

If we set Q' = !open n. in n. out n. in n. out n. n[0], we have 

n[m[out n. P \ R]\ — > n[0] | m[n[0] \ Q' \ R] 

— > n[0] j m[Q' | in n. out n. in n. out n. n[0] \ R] 
— > n[m[Q' | out n. in n. out n. n[0] | i?] ] 
— > n[0] | m[Q | R] . 

By contrast, stuttering does not show up in Safe Ambients [24], where movements are 
achieved by means of synchronisations between a capability and a co- capability, and alike 
models. 

The following result is an easy consequence of the definition of — j nt : 
Lemma 3.4. ~ int is an equivalence relation. 

Proof. The only point worth mentioning is that, for transitivity, to handle clause (8), one 
first needs to prove that ~ int is preserved by parallel compositions with messages (which is 
anyhow straightforward). □ 

However, it is not obvious that ~i nt is preserved by all operators of the calculus, due 
to the fact that ~j nt is, intrinsically, higher-order. Formally, ~j n t is not higher-order, in 
that the labels of actions do not contain terms. Clause ([3|) of Definition 13.21 however, 
involves some higher-order computation, for a reduction may involve movement of terms 
(for instance, if the reduction uses rules Red-In or Red-Out). This, as usual in higher- 
order forms of bisimilarity, complicates the proof that bisimilarity is preserved by parallel 
composition. 

3.2. Congruence. In this section, we establish congruence of intensional bisimilarity, using 
an auxiliary relation. 

3.2.1. Syntactical relation, ~. Our proof of congruence makes use of a second bisimilarity, 
~, that, by construction, is preserved by all operators of the calculus, and that is defined 
as follows: 

Definition 3.5. A symmetric relation on processes 7Z is a syntax-based intensional bisim- 
ulation if P1ZQ implies: 

(1) If P = Pi | P2 then there are Q s (s = 1, 2) such that Q = Qi \ Q2 and for all s P S 1ZQ S . 

(2) If P = cap. P' then there are Q', Q" such that 

(a) Q = cap. Q', 
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(b) Q' 5=£ Q", and 

(c) P'lZQ'. 

(3) If P = {n} then Q = {n}. 

(4) If P = (x) P' then there is Q' such that 

(a) Q = (x) Q' and 

(b) for all n there is Q" such that {n} \ Q ^ Q" and P'{«/t}^Q". 

(5) If P = n[P'] then there is Q' such that Q = n[Q'] and P'TIQ'. 

~ is the largest syntax-based intensional bisimulation. Given two open terms P and Q, we 
say that P ~° Q holds iff for any closing substitution a, Pa ~ Qo~. 

Clause ([4]) is typical of asynchronous calculi, as in clause (JSj) of Definition 13.21 The 
differences between the definitions of ~; n t and ~ are the following. First, labelled transitions 
are replaced by structural congruence in the hypothesis of the corresponding clause. Second, 
clause (|3|) about reductions of related processes is removed. Note that a clause for the 
process is not necessary (see Lemma 13.91 below). 

Transitivity of ~ is not obvious, because it is not immediate that ~ is preserved under 
reductions (there is no clause for matching r-transitions, and reductions (i.e., relation ==>) 
are used in a few places, such as the stuttering relation in the clauses for movement. 

We shall prove that ~i nt and ~ coincide (Corollary 13.181 below). Thus, transitivity 
of ~ will hold because of — int's transitivity, and conversely, congruence of ~ will ensure 
congruence of — i n t- This proof method, which exploits an auxiliary relation that is mani- 
festly preserved by the operators of the calculus but that is not manifestly preserved under 
reductions, brings to mind Howe's proof technique for proving congruence of bisimilarity 
in higher-order languages [23]. In our case, however, the problem is simpler because of the 
intensional clauses ([1]) and ([2]) of the bisimilarity and because MA is not a fully higher- 
order calculus: terms may move during a computation, but they may not be copied as a 
consequence of a movement. We may say that MA is a linear higher-order calculus (indeed 
the congruence of ~; n t could also be proved directly, with a little more work). 

In order to establish congruence of ~, we introduce an important equality between 
processes, that plays a technical role here but will also be used when characterising logical 
equivalence in Section 

Definition 3.6 (Eta law, =e)- The eta law is given by the following equation: 

(x) ((x) P | {x}) = (x) P. 
We use the eta law to define the following three relations: 

• — >■„ is the eta law oriented from left to right; that is, P — ^ Q holds if Q is obtained 
from P by applying the eta law once, from left to right, to one of its subterms (modulo 

=)■ 

• — >* stands for the reflexive, transitive closure of — > v ; 

• =e is the smallest congruence satisfying the laws of = plus the eta law. 

In the lemma below, we write P — P' if P — ^ P' and this represents a top-level 
rewrite step, i.e., we do not rewrite under capabilities and input prefixes. Similarly, — 
is the reflexive and transitive closure of — ^h- 

Lemma 3.7. Let 7Z stand for — > v or — We say that 

(1) 7Z is confluent up to =, that is, for all P,Q,R such that P1Z*Q and P1Z*R, there is 
Q', R' such that QTZ*Q', RK*R' and Q' = R' . 
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(2) 7Z is terminating, that is 1Z* is a well-founded order. 

We call the eta normal form of P (the head eta normal form of P, respectively) the 
unique normal form, up to =, of — ^ (of — > vh , respectively). 

Remark 3.8 (Eta law and stuttering). The eta law expresses a form of stuttering (in 
communication, as opposed to stuttering in movements - see Definition I3.ip . The logic 
being insensitive to both forms of stuttering, we have to reason modulo the eta law. 

We now present some results that are needed to prove congruence of ~. 
Lemma 3.9. // ~ Q then Q = 0. 

Proof. Suppose Q = does not hold. This means that there exists Q', Q" s.t. Q = Q' \ Q", 
with Q' is of the form (x) R, {p}, M.R, or n[i?]. Then by applying the corresponding 
clause in the definition of ~, we deduce Q 0, i.e., a contradiction. □ 

Lemma 3.10. =e C ~ and =e~=e ^ ^- 

Proof. Straightforward from the definition of ~. □ 

If 1Z is a binary relation on processes, we note 7Z{ n /m} for the relation defined as 
{(P{n/m},Q{n/m}). (P, Q) G K}. 

Lemma 3.11. IflZ is a ^-bisimulation, then for any n,m, 7Z{ n /m} is a ^-bisimulation. 

Proof. Since r transitions are not tested in ~, substitution is not mentioned in Def. 13.51 
All clauses of the latter definition are obviously stable by substitution. □ 

Lemma 3.12. For any possibly open processes P and Q, ifP~°Q then C{| P |} ~° C{| Q |}, 
for all contexts C. 

Proof. By induction on C, using the definition of ~. □ 

To prove that ~i n t and ~ coincide, the main result we need is that ~ is preserved under 
reductions: 

Lemma 3.13. Suppose P ~ Q and P — ► P' . Then there is Q' such that Q =^ Q' and 
P' ~ Q'. 

Proof. By induction on the depth of the derivation proof of P — > P' . We proceed by case 
analysis on the last rule used in the derivation. 

• Rule Red-struct: 

P = P 1 Pi^P 2 P 2 = Ps 

P^P 3 

By Lemma 13.101 P\ ~ Q; by induction Q =^> Q' ~ P 2 ; again by Lemma 13.101 Q' ~ P3. 

• Rule Red-Par: 

Pi — > Pj 
P\\P 2 — ► P[ I P 2 

By definition of ~ there are Qi such that Q = Qi \ Q 2 and Pi ~ Qi. Then we conclude, 
using induction and Lemma 13.121 

• Rule Red-Amb: Use induction and Lemma 13.121 
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Rule Red-Corn: Immediate by clauses (pQ), ([3]), and (j4|) of Definition 
Rule Red-Open: 

open n. A | n[P 2 ] — > Pi \ P 2 



By definition of ~, Q = openn.Qi | n[Q 2 
have: Pi Q-i-, P\ E2 Qj. We also have Q = 
Pi | Pi ~ Q'x | Q2, which concludes the case. 
• Rule Red- In: 

n[\nm.Pi \ P 2 ] \ m\P^ ] — 



, and for some Q\ with Q± =^> Q[, we 
=>• Q'i I Qi- Using Lemma T3.12( we derive 

m[n[P 1 I P 2 ] I P 3 ] 



By definition of ~, Q = n[inm. Qi | Q2] I m [<23]i and there exists such that 

Qi ^° ut n ^ > Q'i and we have: P 2 ~ Q 2 , P3 ~ <23, and Pi ~ Q^. 

We also have Q =^ mfnfQ^ | Q 2 ] \ Q3]. Using Lemma f3.12[ we derive 

m[n[Pi I P 2 ] I P 3 ] ~m[nlQ[ \ Q 2 ] \ Q 3 ], 

which concludes the case. 
• Rule Red-Out: similar to the previous case. □ 

Corollary 3.14. Suppose P ~ Q and P =^ P'. Then there is Q' such that Q => Q' and 
P' « Q'. 

Proof. By induction on the number of transitions in P ==? P' , using Lemma 13.131 for the 
inductive case. □ 

Lemma 3.15. 

— cap. P ~; nt Q implies Q = cap. Q' , for some Q' . 

— {n} ~ int Q implies Q = {n}. 

— (x) P ~j nt Q implies Q = (x) Q' , for some Q' . 

Proof. In every case, we suppose by contadiction that Q = Qi \ Q 2 where none of the QiS 
is structurally congruent to 0. Then P and Q can be distinguished using the clauses of — int 
for parallel composition and 0, which means a contradiction. 

Therefore, Q is single (it has only one component), and we can conclude using the 
appropriate clause of the definition of ~i nt in each case. □ 

Lemma 3.16. ~mt^^- 

Proof. By proving that ~ int is a ~-bisimulation. The proof is easy, using Lemma 13.151 □ 
Lemma 3.17. ~C~ int . 

Proof. By proving that ~ is a ~ int -bisimulation. We need Lemma 13.121 (precisely, the fact 
that ~ is preserved by parallel composition), Lemma 13.101 Corollary 13. 141 and Lemma 13.91 

□ 

Corollary 3.18. Relations ~j n t and ~ coincide. 

Corollary 3.19. Relations ~? nt and ~° are congruence relations. 

Proof. Follows from Corollary 13.181 and Lemmas 13.41 and 13.121 □ 
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3.3. Expressiveness results. In this subsection we recall some expressiveness results for 
AL. These results state the existence of formulas capturing some nontrivial properties of 
processes. They are proved in [21], and will be exploited later to assess the separating power 
of the logic. 

We start by introducing two measures on terms, that represent two ways of defining 
the depth of a process. The first definition exploits the notion of eta normal form (see 
Lemma I3.7P : 

Definition 3.20 (Sequentiality degree, sd). The sequentiality degree of a term P is defined 
as follows: 

• sd(0) = 0, sd(P j Q) = max (sd(P), sd(Q)) ; 

• sd(n[P]) = sd(!P) = sd(P); 

• sd(cap.P) = 1 + sd(P); 
. sd({n}) = 1; 

• sd((x) P) = sd(P') + 1 where (x) P' is the eta normal form of (x) P. 

Intuitively, the sequentiality degree counts the number of 'parcels of interaction' (capa- 
bilities, messages, input prefixes) in a term. We now define the depth degree, that is sensitive 
to the number of nested ambients. This quantity will be soon used in the interpretation of 
some formulas of AL, but also to define an inductive order on processes (see Subsection l3.4p . 

Definition 3.21 (Depth degree). The depth degree of a process is computed using a func- 
tion dd from MA processes to natural numbers, inductively defined by: 

• dd(0) d = 0, dd(cap.P) d = 0; 

• dd((x) P) = f 0, dd({n}) = f 0; 

• dd(n[P]) d = dd(P) + l; 

. dd((!)Pi | ... | (!)P r ) d = max 1 < i < r dd(P i ). 

We introduce formulas that express some kind of possibility modalities corresponding 
to the movement capabilities and input prefix of MA. 

Lemma 3.22. For any cap, there exists a formula context ((cap)). {| • |} such that for any 
closed process P, and any formula A, 

PK(cap}).{| A |} iff 3P',P". P = cap. P' , P' P" and P"\=A. 

For all n, there is a formula {n} such that 

P^W iff P = {n} . 

For alln, there exists a formula context {{In)). {| • |} such that for all process P and formula 
A, 

P\={{?n)).{\ A\} iff 3x,P',P". P = {x)P' , (x)P' |{n}=^P" andP"\=A. 

We will also need the necessity modalities, that have a dual interpretation w.r.t. the 
above formulas: 

Lemma 3.23. For all cap, there is a formula context [cap]. {| • |} such that for all process 
P and formula A, 

PHcap]. {I A |} iff 3P'. P = cap. P and VP". P P" implies P"^A . 
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For all n, there is a formula context [?n]. {| • |} such that, for all process P and formula A, 



P\={?nj. {| A |} iff 3P', x. P = (x)P' and VP". (x)P' | {n} =^ P" implies P"^A . 



Each operator of the syntax of MA (Table 12. ip has thus a counterpart in the logic, ex- 
cept replication. It is possible to express in AL a restricted form of replication on formulas, 
by defining a formula IA, expressing that there are infinitely many processes in parallel sat- 
isfying A, modulo some additional condition on A. More precisely, based on Definitions l3.20l 
and 13.211 above, we say that a formula A is sequentially selective (resp. depth selective) if 
all processes satisfying A have the same sequentiality degree (resp. depth degree). 

Lemma 3.24. For all cap, there exists a formula context Rep cap {| • |} such that for all 
process P and for all sequentially selective formula A, whose models are only of the form 
cap. R, 



P |= Rep cap {] .A |} iff 3P l5 ...,P r . P = !Pi | (!)P 2 | . . . | (!)P r and, P t \=A,i = 1 . . .r . 



There exists a formula context Repj nput {| • |} such that for all process P and for all formula 
A sequentially selective whose models are only of the form {x)P, 



P\=RePin P ut{\A\} iff 3P 1; ...,P r . P = \Pi\ (!)P 2 | ... | (!)P r and,Pi\=A,i = l...r. 



Similar results hold for the replicated version of the dual modalities. The notion of 
depth selectiveness allows us to derive formulas that capture replicated ambients: 

Lemma 3.25. For all n, there is a formula context !n[{| • |}] such that for all process P 
and for all depth selective formula A, 



P^ln[{\A\}] iff 3P!,...,P r . P = \P X | (!)P 2 | ... | (!)P r and, Pi \= n[A] ,i = 1 . . . r . 



By putting together these expressiveness results, we can derive formulas characterising 
the equivalence class of a process w.r.t. logical equivalence for a subcalculus of MA, defined 
as follows: 

Definition 3.26 (Subcalculus MAtf). Consider a process P, and a name n fn(P). We 
say that P is image-finite if any subterm of P of the form cap. P' (resp. (x)P') is such that 
the set 



(resp. {P" : P'{ n /x} ==>■ P"}/~. nt ) is finite. MAjp is the set of image-finite MA processes. 

In the standard definition of image-finiteness, as used, e.g., to establish inductively 
completeness of the Hennessy-Milner logic, one requires that the set of outcomes of the 
process is finite. While exploring the possible outcomes (and in absence of restriction in 
the process calculus), we may expose at top-level any subterm of the process, and hence 
we implicitly require that all of its subterms are image-finite in the standard sense. On the 
other hand, in our case, we do not impose that P has only finitely many outcomes, but 
only do so for some subterms. As a consequence, our notion is less restrictive, and any 
image-finite process in the standard sense belongs to MAjp. 

Lemma 3.27 (Characteristic formulas on MAtf). For any closed MA\p process P , there 
exists a formula Ap s.t. for any Q, these three conditions are equivalent: 



For all n, there is a formula !{n} such that 

PHM iff 



P = !{n} . 
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(1) Q\=A P ; 

(2) P=lQ; 

(3) P ^i„t Q. 

A final expressiveness result that will be needed later is the ability to test free name 
occurrences in a process. 

Lemma 3.28. For any name n, there exists a formula ©n such that for any P, P\= ©n 
iffnefo(P). 

3.4. Soundness, and Completeness for Finite Processes. We now study soundness 
and completeness of ~ int with respect to =l- Soundness means that ~; nt C =l, and 
completeness is the converse. We show here soundness on the whole calculus. By contrast, 
we only prove completeness on the finite processes, deferring the general result to the next 
section. We chose to do this for the sake of clarity: the proof in the finite case is much 
simpler, and exposes the basic ideas of the argument in the full calculus. 

3.4.1. Soundness on full public MA. In order to prove soundness (on the whole calculus), 
we use the definition of ~ and the congruence property to establish that bisimilar processes 
satisfy the same formulas. 

Theorem 3.29 (Soundness of ^int)- Assume P,Q € MA, and suppose P ~ int Q. Then, 
for all A, it holds that P\=A iff Q\=A. 

Proof. By induction on the size of A. 

• A = T. 

Nothing to prove. 

• A = ^Bov A = Bi \ZB 2 . 

By induction and the definition of satisfaction. 

• A = 0. 

By definition of satisfaction and clause ([2]) of the definition of ~; n t . 

• A = n[B}. 

Then P = n[P'] and P' \= B. Hence Q = n[Q'] for some Q' ~; n t P' ■ By induction, 
Q' \= B; we can therefore conclude that also Q \= n[B] holds. 

• A = A\ | A 2 . 

Then P = P X \P 2 and P, (= A*. By clause © of Definition Q = Qi \ Q 2 for some 
Qi — int Pi- By induction, Qi \= Ac, we can therefore conclude that also Q \= Ax \ A 2 
holds. 

• A = Wx. B. 

By definition of satisfaction, P |= B{ n /x} for all n. The result for Q then follows by 
induction, for B{ n /x} is strictly small than V x . B. 

• A = O B. 

By definition of satisfaction, there is P' such that P P' and P' \= B. Using clause 
([3]) of the definition of — i n t, there is Q' such that Q Q' ~ int P'. By induction, Q' \= B; 
hence Q \= A. 

• A = B@n or A = Ax > A 2 - 

Follows using induction and the congruence of — int . □ 
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3.4.2. Completeness, on finite processes. The proof of completeness we develop here is based 
on the construction of a sequence of approximants of ~, which is a standard approach for 
image-finite calculi. This works in the finite case (finiteness implies image-finiteness), but 
not in presence of replication. The proof is however interesting on its own, and gives a much 
simpler account on how the logic expresses the clauses of ~i n t than the proof for the whole 
calculus. 

Note that the definability of characteristic formulas for ~ int on MArr (see Definition l3.26l 
and Lemma I3.27P implies completeness: for two MArp processes P and Q, P=lQ entails 
P — int Q- Since MAff contains the set of finite processes, this already gives completeness 
on finite processes. We nevertheless present here a proof that is specific to the finite case, 
to prepare the ground for completeness on full public MA. The route we are interested 
in for the completeness proof uses i-th. approximants ~, of relation ~, and the fact that 

^uj = Hi — i coincides with ~. 

Definition 3.30. We define the relations ~j between processes, for all i > 0, as follows. 

~o is the universal relation, and is defined by saying that P Q holds if we 
have: 

(1) If P = Pi | P2 then there are Q s (s = 1, 2) such that Q = Qi \ Q2 and for all s P s ~j Q s . 

(2) If P = cap. P' then there are Q', Q" such that 

(a) Q = cap. Q', 

(b) Q' t$ Q", and 

(c) P' ~ l Q'. 

(3) If P= {n} then Q = {n}. 

(4) If P = (x) P' then there is Q' such that 

(a) Q = (x) Q' and 

(b) for all n there is Q" such that {n} | Q =^> Q" and P'{ n /x} Q" . 

(5) HP = n[P'} then there is Q' such that Q = n[Q'\ and P' ~i Q'. 

We set ~ w d = f|i>o ^i- 
Lemma 3.31. ~ w coincides with ~ on finite processes. 

Proof. Standard approximation result (finite processes are image finite). □ 

Lemma 3.32. Let P,Q be two finite processes. If P=lQ then P ~^ Q. 

Proof. Suppose P Q. Then there is i such that P q^i Q. We prove, by induction on i, 
that in this case we can find a formula A such that P (= A holds but Q \= A does not. 

For i = 0, this trivially holds since the hypothesis P 5^0 Q is absurd for ~o being the 
universal relation. 

Now the case i + 1, for i > 0. We proceed by case analysis: 
(1) P = Pi I P2, and for all Qi, Q2 such that Q = Qi \ Q2 there is t (1 < t < 2) such that 

Pt & Qf 

Modulo =, there is a finite number, say s, of pairs of processes Qi,Q2 such that 
Q = Qi I Q2 (note that by hypothesis P is finite). Call Qt >u the t-th process of the u-th 
pair. Then for all u (1 < u < s) there is t such that Pt g^i Qt, u - By induction, there is 
At, u such that 

Pt \= At, u and Q t ,u ¥= A t , u ■ 
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Define 

B t = A A« • 

u. l<«<sand Pt^iQt.u 

Then 

P h 5i | B 2 , 

whereas 

Q V= Bi I P 2 . 

(2) P = cap. P'; then necessarily Q = cap. Q', and for all Qt such that Q' Qt, h holds 
that P' & Q t . 

By induction, for all t there is At such that P' \= At but Qt \/= At- Since Q is finite, 
there is only a finite number of such processes Qt (up to =). Write (Qt)tei f° r this set 
of processes up to = (we pick a representant for each =-equivalence class) , and call At 
the formula corresponding to each Qt. Define 

^ f «cap)).{|/\A |}, 

tei 

using the standard notation for the (finite) conjunction of the Ats. Then P \= A but 
Q V= A. 

(3) P = {n}, and Q £ {n}: then P^{n}, and Q J(={n}. 

(4) P = (x) P', Q = (x) Q' and there is n such that for all Qt such that {n} | Q ==> Qt, it 

holds that P" & Q t , for P" d = P'{n/x}. 

Modulo =, there is only a finite number of such QtS, say Qi, . . . , Q s . By induction, 
there are formulas A\, . . . ,A S with P" (= „4f and ^ ^t- We introduce as above the 
notation {Qtjteli an d we define 

A= «?n}).{| /\A t \}. 

tei 

Then P |= A, but Q ^ A, because whenever {n} | Q ==> Qt, it holds that Qt ^ At- 

(5) P = n[P'], Q = n[Q'] and P' & Q' . 

By induction there is A' with P' |= .A' but Q' ty= A' . Define A d = n[ A']; then P^A 
but Q ^ A. □ 

Theorem 3.33 (Completeness on finite processes). Let P, Q be two finite closed processes. 
IfP= L Q thenP~ iat Q. 

Proof. Follows from Lemma 13.311 and 13.321 □ 



4. Completeness of ~ int in the full calculus 

The proof we have presented in the finite case cannot be used directly in the full MA 
calculus, because we lack the image-finiteness hypothesis, which allowed us to show that the 
limit coincides with ~. In this section, we present a proof of the completeness of ~j nt 
for all processes. To do this, we establish the existence, for any processes P, Q, of a formula 
Tp,q such that P\=Tp t Q, and such that Q\=Fp t Q holds if and only if P ~i nt Q. This result 
is hence weaker than the existence of characteristic formulas, but it does not require image 
finiteness. 
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We sketch the structure of the proof. Our approach exploits two technical devices, that 
we introduce first. We start by proving some lemmas related to the sequentiality degree 
of a term (Definition I3.20[) , which allows us to define a sound induction principle on MA 
processes. This principle supports the introduction of an inductive characterisation of ~i n t. 
The second technical device we introduce is the set of frozen subterms of a process, that 
intuitively corresponds to the collection of subterms appearing under guards (capabilities 
or input prefixes) in a given term. These two technical notions are then used to define local 
characteristic formulas, which correspond to a relaxed notion of characteristic formula w.r.t. 
logical equivalence. An important fact about the set of frozen subterms of a process is that it 
enjoys a kind of subject reduction property; this allows us to replace the potentially infinite 
set of images of a term with a finite set when constructing local characteristic formulas. 

4.1. An inductive characterisation of ~ ; nt . We now establish some properties related 
to the sequentiality degree of processes. These allow us to introduce a well-founded order 
on terms which supports the definition of an inductive relation that coincides with ~ ; nt . 

Lemma 4.1. Let P,Q be two terms of MA. Then: 

(1) ifP = Q, then sd(P) = sd(Q); 

(2) ifP — >QorP A Q then sd(P) > sd(Q). 

Proof. 1 is immediate, as is the result on — > in 2. For P — > Q, we reason by induction on 
the height of the derivation of P — ► Q. □ 

Corollary 4.2. For all cap, if P Q, then sd(P) > sd(Q). 

This result will be important for the justification of Definition 14.91 below. 

Lemma 4.3. For any closed process P E MA, there exists a formula P s d(p) such that: 

• P |= P s d(p), and 

• for any term Q, if Q \= .F s d(p); then sd(Q) > sd(P). 

Proof. We can assume that P is eta normalised. Let us first reason by induction on sd(P): 

• for sd(P) = 0, ^ r sd(P) = T is sufficient. 

• for sd(P) > 0, let us assume that there exist formulas J-^p') for any P' such that 
sd(P') < sd(P). We reason by induction on P. 

— the case P = is impossible. 

— for P = Pi | P2, there is i such that sd(P) = sd(Pj). Then we may choose P s d(p) = 
Psd(Pi) I T. In the same way, let us set .P s d({n}) = P{rt}> Psd(!P) = -Psd(P) I T and 

-P S d(n[P]) = n [-Psd(P) ]• 

— for P = cap.P', we use the general induction hypothesis to construct P s d(P')- Let 
us then take -P s d(P) = ((cap)). .P s d(p')- Then P (= P s d(p), and for any Q such that 
Q |= -Psd(P)) we deduce (from Lemma [3. 22 j) that there are Q' , Q" such that Q = cap. Q' 

and Q' Q" with Q" \= P sd( P'). Now by LemmaEJ sd(Q) - 1 = sd(Q') > sd(Q"), 
and by induction hypothesis sd(Q") > sd(P') = sd(P) — 1, so that finally sd(Q) > 
sd(P). 

— for P = (x) P', we use the general induction hypothesis to get ^ r s d(p')- Let us then take 
Psd(P) = 3x. Psd(P')- Then P |= J r s d(p), and for any Q such that Q \= ^"sdrp), 
we deduce (from Lemma 13.22ft that there are n, Q', Q" such that Q = (x) Q' and 
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Qi = {n} | (x)QWQ" with Q" \= F^piy Now by LemmaHZL] sd(Qi) - 1 = sd(Q) - 
1 = sd(Q'{ n /x}) > sd(Q"), and by induction hypothesis sd(Q") > sd(P') = sd(P) - 1, 
so that finally sd(Q) > sd(P). □ 
A similar result can be proved for the depth degree of a process: 

Lemma 4.4. For any closed process P E MA, there exists a formula .Pdd(P) such that: 

• P |= ^dd(F)) anrf 

• /or any term Q, if Q \= ^dd(P); ^ en dd(Q) > dd(P). 

Proof. We reason as in the proof of the previous lemma. □ 

Corollary 4.5. If P ~ int Q, i/ien sd(P) = sd(Q) and dd(P) = dd(Q). 

Proof. By Theorem 13.29} P ~i nt Q implies P=lQ, which gives the result. □ 

The sequentiality degree can be used as a basis for inductive reasoning on processes up 
to reductions of some subterms. This is formalized by the following definition: 

Definition 4.6 (Well-founded order). Given two processes P and Q , we write P < Q (or 
Q > P) if either sd(P) < sd(Q) or P is a strict subterm of Q. 

Lemma 4.7. 

• < is well-founded. 

• Suppose P is of the form either cap.P' or (x)P', and suppose moreover P > Q and 
Q Q' for some cap. Then P > Q'. 

Proof. • Well-foundedness: if P is a strict subterm of Q, then sd(P) < sd(Q). 

• P > Q': follows from Lemma 14.11 □ 

In order to give an inductive characterisation of ~i n t, we establish the following results 
about —int- These are inversion properties, in the sense that they allow one to deduce, from 
P —int Q-, with P having a given shape, consequences about the shape of Q. 

Lemma 4.8 (Inversion results for — i n t). let P, P±,p2,Q be processes of MA. Then 

(1) ~ int Q tffQ = 0. 

(2) n[P] Q iff there exists Q' such that Q = n[Q'] and P ~ int Q' . 

(3) Pi | P2 ~i n t Q iff there exist Q\,Q2 such that Q = Qi \ Q2 and Pi ~i nt Qi for 
i = 1,2. 

(4) IP ~; nt Q iff there exist r > 1, s > r,Qi (1 < i < s) such that Q = ni<j< r !Qj | 
H r+1 <i< s Qi, and P ~ int Qi for i = 1 . . . s. 

(5) cap.P ~i nt Q iff there exists Q' such that Q = cap.Q' with P ~j nt Q' and 

Q! =^ —int P ■ 

(6) {n} ~ int Q iffQ = {n) 

(7) (x) P ~ int Q iff there exists Q',m. such that m fn(P) U fn(Q), Q = (x) Q' 
Q I { m }^ ~ int P{m/ X } and (x) P \ {m}^ ~ int Q'{ m /x}. 

Proof. We first leave out the fourth case. 

For the other cases, the left to right implications follow by the fact that, in each case, 
the corresponding clauses in the definitions of ~ and ~ int are almost the same. 

For the right to left implication, cases 1 and 6 hold by reflexivity of ~ ; n t, and cases 2 
and 3 follow from congruence of ~; n t (Corollary l3.19j) . Case 5 is similar to the corresponding 
condition in ~ (note that all other conditions are trivially fulfilled). 
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We explain case 7 in more details. We take P, Q, Q' , x, m satisfying the required proper- 
ties, and further introduce processes P\ and Q\ by imposing (x)P | {m}=^Pi ~ int Q'{ m /x} 
and Q | {m}=^Qi ~; nt P{ m /x}. To show that P ~; nt Q, we need to show that these 
processes satisfy the condition for receptions in the definition of ~ (Definition [33]), all 
other requirements being satisfied. Consider an arbitrary name m', we want to show 
that there exist P",Q" such that Q | {m'}=s>Q", P{m'/x} ~ int Q", (x)P \ {m'}^P" 
and P" ~ int Q'{ m '/x}. By hypothesis, this holds for m! = m, by taking P" = P\ and 
Q" = Qi. Otherwise, we set P" = Pi{™'/m} and Q" = Qi{ m /m}. Then (x)P \ {m 1 } = 
{{x)P | { m }){m'/m}^?i{m/m} = P" since ==>• is closed under name replacement, and 
Q | {?n'}^=>Q" for the same reason. Moreover, since ~j nt is also closed under name replace- 
ment (Lemma l3.1ip . we deduce from the hypothesis Pi ~i nt Q'{ m /x} that P" ~j nt Q'{ m '/x}, 
and similarly from Q x ~ int P{m/ X } that Q" ~ int P{m/x}. As a consequence, the condition 
is established for all m! . Note that the hypothesis about m being fresh for P,Q is crucial 
in the proof above. 

We are thus left with case 4. The right to left implication holds because, if we define 
1Z as ~ extended with all pairs of the form (P, Yl\<i<_ r \Qi | n r+ i<j< s Qj), with the above 
conditions, then 1Z satisfies the clauses of ~, hence 1Z is ~. We now consider the left to right 
implication. First, note that by applying clauses Q] and [2] of Def. I3.2I it can be shown that for 
any two bisimilar processes P, Q, if P = P' \ P' \. . P' | P" , where P contains at least n copies 
of some single process P', then necessarily Q = Q\ |. . | Q n \ Q' with Qi ~ P' for all i. This 
entails the left to right implication in the case where P is a single process. When P is not 
single, we write P = IIi<j< r !Pj | n r+ i<j< s Pj, where Pi, . . ,P S are single processes. Thanks 
to the congruence rule !(Pi | P2) = !Pi I ] -R2, !P = !Pi I- • I !Ps- Assume !P ~ Q. Applying 
the inversion rule for parallel composition, we have Q = Q\ | Q s with, for every i, !Pj ~ Qi, 
that is, using our reasoning on single processes, Qi = ^i<j<ri ] -Qi,j \ ^ri+i<j<s t Qi,j- Using 
the law \R = \R\ \R, it is possible to choose all rj equal, and similarly applying \R = \R \ R 
we can choose all Si equal. It is then a matter of rearranging the Qij in Q' x \. . \ Q' s to write 
Q in the expected form. □ 

We can now define the inductively defined relation that characterises — int • 

Definition 4.9. Let ~i n d be the binary relation P ~i n d Q defined by induction on P for 
the order < as follows: 

(1) ~ ind Q if Q = 0. 

(2) n[P] ~i n d Q if there exists Q' such that Q = n[Q' \ and P ~; n d Q' ■ 

(3) Pi I P2 ~ind Q if there exist Qi,Q2 such that Q = Q\ \ Q2 and Pj ~j n d Qi for 
i = 1,2. 

(4) IP ~i n d Q if there exist r > 1, s > r, Qi (1 < i < s) such that Q = H\<i< r \Qi \ 
Ii r+ i<i< s Qi, and P ~ ind Qi for % = 1 . . . s. 

(5) cap. P ~i nd Q if there exists Q' such that Q = cap.Q' with P ~i nd Q' and 

Q =^ ~ind P- 

(6) {n} ~ ind Q if Q = {n} 

(7) (x) P ~ in d Q if there exists Q',m. such that ?n fn(P) U fn(Q), Q = i x ) Q', 
Q I {m}^ ~ ind P{ m /x} and (x) P | {m}^ ~ ind Q'{ m AI- 

Theorem 4.10. Relation ~i n d we// defined. Moreover, relations ~i n d a^rf —int coincide. 
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Proof. The definition of ~; n d is justified using Lemma [4.71 The inclusion ^mt^~md is 
established using the results of Lemma 14.81 which correspond precisely to the defining 
clauses of ~; n d- The converse inclusion follows from Lemma 14.81 too. □ 

4.2. Frozen subterms. We now introduce the notion of frozen subterms of a process. The 
frozen subterms of a process correspond to occurrences that do not participate in immediate 
interactions but that may play a role in future reductions. 

In the reminder, we use N to range over sets of names. Unless otherwise stated, we 
always implicitly suppose that such a set is finite. 

Definition 4.11 (Frozen subterms). Let 7V be a set of names; the set frozTv(P) is defined 
by induction on P as follows: 

• frozjv(O) = hoz N ({n}) = 0; 

• frozjv(Pi | P 2 ) = frozjv(Pi) Ufroz 7V (P 2 ); 

• frozjv(LP) = frozjv(P); 

• froz^cap. P) = {P} U frozjv(P); 

. fro Zjv ((x)P) = U neN {P{n/ x }}Ufroz N (P{n/ x }). 

If P,P' are two structurally congruent terms, then, modulo =, frozjv(P) = frozjv(P'). 
Hence this set (in its quotiented version with respect to =) is uniquely determined by the 
structural congruence class of P. 

Lemma 4.12 (Finiteness of frozjv(P)). For any P € MA, if N is finite, then the set 
obtained by taking the quotient of hoz^(P) w.r.t. = is finite. 

Proof. By induction on P. □ 

Not only is frozjv(P) finite, but, as expressed by the following result, this set is preserved 
by reduction, in the following sense: 

Lemma 4.13. Let P,Q be two processes such that P — >Q or P ^ Q for some cap, and 
assume fn(P) C N. Then the quotient of Uoz^{Q) w.r.t. = is included in the quotient of 
frozTv(P) w.r.t. =. 

Proof. We recall that relation ^> is defined on the syntax of processes (see Definition 13. lj) . 
and the result follows by definition of frozjv(P),frozjv(Q)- 

For — we reason by induction on the derivation of P — ► Q. The cases corresponding 
to movement transitions follow from ^> . So the only way a reduction could alter the set 
of frozen terms is through name substitutions generated by communications, and this is 
handled by the condition fn(P) C Af. □ 

4.3. Local characteristic formulas and completeness. The purpose of this subsection 
is to derive local characteristic formulas, defined as follows: 

Definition 4.14 (Local characteristic formula). Let £ be a set of terms, P a term and 
T a formula. We say that T is a characteristic formula for P on £ (or, alternatively, a 
^-characteristic formula for P) if 

• P |= T, and 

• for any Q € £ , if Q \= T then Q ~j nt P. 
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Note that the converse of the second condition always holds, due to soundness of ~i nt 
(Theorem [3J29]): if Q G £ and Q ~ int P, then Q\=P. 

With this definition, completeness of ~ int boils down to the existence, for any processes 
P, Q, of a characteristic formula of P on the set {Q}. Although we do not define directly 
such a formula, this idea guides the construction of the completeness proof. More precisely, 
we reason inductively on the sequentiality degree of processes, and manipulate two sets of 
terms, given a process P: 

• £p = f {P'j 3 cap. P =$> P'}, that collects the possible evolutions of P, 

• and £p Z ' N = {P', frozAr(P') C frozAr(P)}, that intuitively is the set of processes whose 
possible evolutions can be captured using the evolutions of P. 

We want to establish the existence, for all P, Q, of a local characteristic formula for P 
on £q and £q Z ' ,N ■ We first prove the following result: 

Lemma 4.15. // a formula T characterises P on £q Z,N and N D fn(Q), then T charac- 
terises P on £q. 

Proof. Follows from Lemma 14.131 □ 

The following lemma describes the construction of a local characteristic formula for 
guarded terms (of the form cap.P or (x)P) on £q Z ' , provided we can compute, given 

several (smaller) processes R, local characteristic formulas on £^: 

Lemma 4.16. Consider two processes P and Q, and a set N of names such that fn(P) U 
fn(Q) C N. Assume moreover that, for all Q' G frozyv(Q), we can construct a formula 
Tp^qi characterising P on £% and a formula J~Q>,p characterising Q' on £p. We then have: 

• for all cap there exists a formula characterising cap.P on £q Z,N , 

• for all n such that P is not of the form {n} \ (y)P' with n G" fn(P'), and for all x with 
x G" fv(P), there exists a formula characterising {x)(P{ x /n}} on £q Z,N ■ 

Proof. 

• Let cap be a given capability. Set £ = {Q 1 G froz N (Q) : VP' s.t. P ^ P', P' ^ int Q'}; 
£ C frozAr(Q), so by Lemma l4.12[ £ is finite, and we can define the formula: 

F d ^ «cap»fl A ?P,Q> 1} A Mil A D- 
Q'efrozjv(Q) Q'e£ 

We prove first that cap. P |= P; by hypothesis, P |= .Pp,Q' for all Q' G frozyv(Q), so that we 

have cap. P |= ((cap)){| f\Q'efroz N (Q) ^P,Q' li- Let P' ^ e suc h that P P', and consider 
any Q' G £. Then by hypothesis P' \=Tqi^p would imply P' ~i nt Q', and hence Q' £, 
which is contradictory. So P' \= Aq'g£ ^^Pq^p, and finally P\= F. 

Conversely, consider R G £q Z,N such that R \=F. We show that R ~ int P. First, there 

is Q' such that R = cap. Q' and Q' ^=$- \= Fp^Q" for all Q" G frozAr(Q). Since R G £q Z ' N 

and Q' G frozAr(P), Q' G frozAr(Q), so Q' \=^P,Q', an d by hypothesis, Q'=> ~i n t 

P, which gives the first part of the condition to have cap.P ~in<j P (Definition I4.9p . 
Furthermore, since P satisfies the 'necessity' part of the formula P, Q' \= Aq"g£ _, ^ r Q",P> 
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that is Q' £ £. Thus, there is P' with P v =4> 7 P' and P' ~ int Q', which gives the second 
part of the condition. 

• Let n, x be chosen as in the statement of the lemma. We set Pq = (x) (P{ x /n}j . Similarly 
as before, we define £ = {Q' G hoz N (Q) : VP' s.t. P=^P', P' ^ int Q'}; again £ C 
frozjv(Q), so £ is finite, and we may define the formula: 

F = -.©n 

A ((?n))(NonEta A Aq^oz^q) ^>,Q') 
A [?n] (NonEta — Aq'^^Q'.p) 

with 

NonEta d = ^({n} [ (-.©n A ((?n»T)) 

Intuitively, the role of formula NonEta is to detect when the reducts of a process satisfying 
F stop being eta-equivalent to the initial state. 

Let us prove that Po\=F: n G" fh(Po) by construction, Pq | {n}=>P, P|= NonEta 
and P |= A ^P,Q' by hypothesis, so Po satisfies the second conjunct in F. Take P' such 
that Po | {n}=>P' and P' |= NonEta; we prove that P' ^=^Fq\p for all Q' G £. Since 
P'|= NonEta, P | {n} =£ P', so P=>P' . As a consequence, P'^j^p iff P' ~ int Q'. 
Then by definition of £, P' \= Aq'g£ ^-^Q'.p- As this holds for all P', we have that Po |= F. 

Let us now prove that if R G £q Z,N an d P N ^> then P ~ int P. Consider such a 
process P. Then n G" fn(P), and there exists Q',R' such that R = (x)Q' and P | 
{n}=^P' with P' |= NonEta A AQ'efroz JV (Q) ^P,Q'- Let (x)Q" be the head eta normal form 
of (x)Q' . By definition, belongs to frozjv(Q), and any reduction (x)Q' | {n}=^T 

where T is not eta equivalent to (x)Q' \ {n} goes through the state Q"{ n /x} (i.e., that 
reduction can be written (x)Q' \ {n}^=^Q''{ n /x}^=^T). Due to the definition of NonEta, 
we actually have that R' (x)Q' \ {n}, so Q"{ n /x}^^>R' . Since R' \= Fp t Q"tn/ x y, 
R' ~i n t P and the first part of the condition for input in Definition 14.91 is satisfied. 
Moreover, P | {n}=>Q" {n/x} and Q"{ n /x} |= NonEta, so Q"{ n /x} \= /\ Q , e£ ^T Q <^ P . Since 
Q"{ n /x} G frozjv(Q), we finally have Q"{ n /x} G" £, that is there is P' such that P^P' 
and P' ~ int Q"! 71 ^}. This proves the second condition for Po ~j n d (x)Q", and since 
(x)Q" =e R, we finally have Po ~; n t R- n 

We now prove that given P, we can deduce a local characteristic formula for P from 
local characteristic formulas for its guarded subterms. 

Lemma 4.17. Consider two processes P and Q, and a set of names N, and suppose that, 
for each subterm of P of the form cap. P' or (x)P' , we can construct a £q Z,N -characteristic 

formula. Then there exists a £q -characteristic formula for P. 

Proof. We assume, without loss of generality, that all occurrences of the replication operator 
in P are immediately above a guarded process (this is always possible up to =). 

We construct such a formula Tp by induction on P. The cases for 0, parallel composi- 
tion, and ambient are easy. Formulas for messages and replicated messages have been given 
above, and by hypothesis, we have formulas for guarded processes. We are thus left with 
the case of replicated terms. 

If P = !n[P], then Tp = !n[{| T' P |}] is a i^'^-characteristic formula, since T P > is 
depth selective (all processes satysfying Tp< are intensionally bisimilar to P', so their depth 



26 



D. HIRSCHKOF, E. LOZES, AND D. SANGIORGI 



degree is equal to dd(P') - see Corollary 14. 5ft . If P = !cap. P' , then Tp = Rep cap {| .Pcap.P' |}, 
since .Pcap.P' is sequentially selective. We reason in the same way for the case P = \[x)P' . 

□ 

Lemma 4.18. For all P, Q and N D fn(P) U fn(Q), there exist characteristic formulas for 
P on £q and £q Z ' N ■ 

Proof. From Lemma f4.15( it is sufficient to construct a local characteristic formula on £q Z ' N . 
We remark that without loss of generality, P, Q can be choosed so that every binding (x)P 
involves a different variable, and this is enough to build characteristic formulas for the set 
N enriched with distinct names n x associated to all variables x occurring in P and Q. We 
reason by induction on sd(P). If sd(-P) = 0, then P has no guarded subterms, and the 
conditions of Lemma 14.171 are fullfilled, which implies the existence of a local characteristic 
formula for P. 

Assume now sd(P) > 0, and, for all P' such that sd(P') < sd(P), and for all Q, there 
exists a characteristic formula for P' on £q' . Consider a process Q. By Lemma |4.17| the 
existence of a ^^-characteristic formula for P can be proved by establishing the existence 
of a £g Z,Ar -characteristic formula for each guarded subterm of P of the form cap. P' or (x)P' . 
Consider such a guarded subterm cap.P'. We have sd(P') < sd(P), so by induction there 
exists a formula J-p^Q 1 which is a £% -characteristic formula for P' for each Q' G frozjy(Q)- 
Moreover, by induction, we also have a formula -Pq',p' which is a characteristic formula for 
Q' on £% when sd(Q') < sdP') < sd(P). In the case sd(Q') > sd(P'), we define J'q^p as 
the formula .P s d(Q') given in Lemma l4~3l This formula characterises Q' on £p,: Q'\=^Pq',p 
by Lemma|L3l and if P" € £% then sd(P") < sd(P') < sd(Q'), so P" /h-^sd(Q')- Hence the 
requirements of Lemma [4. 161 are fullfilled, and there exists a £g Z,Ar -caracteristic formula for 
cap.P'. 

Similarly, consider a subterm of the form (x)P' , and write (x)P" for its eta normal 
form. As above, we have local characteristic formulas Tpn sn x ix},Q< an d ^pQ\p"{n x /x} by 
induction and using Lemma [4.31 with a similar reasoning. Since (x)P" is in normal form, all 
requirements of Lemma [4. 161 are satisfied, so that there exists a £q' -characteristic formula 
for (x)P" , which is also a characteristic formula for (x)P' by Lemma 13.101 

Finally, we have characteristic formulas for all guarded subterms, and by Lemma 14.171 
we have a f^'^-characteristic formula for P. □ 

Theorem 4.19 (Completeness of ~mt)- In MA, =l C ~ int . 

Proof. Let P, Q be two terms such that P ?^i n t Q. By Lemma 14.181 there is a formula F 
characterising P on £q. We have P \= F. We then have Q e Jg, and Q \= F implies 
P —int Q- Hence, since by hypothesis P ?^ n t Q, Q \£F, and P ^lQ- n 
Corollary 4.20. In MA, relations =l, ~; nt and ~i n d coincide. 



5. Characterizations of logical equivalences 

In this section, we compare logical equivalence and standard equivalence relations on 
processes, like behavioural equivalence and structural congruence. We give an axiomati- 
zation of =l on MAj F , a subcalculus of MA in which image-finiteness is guaranteed by a 
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syntactical condition (Definition 15.21 below). We shall see that AL is very intensional, in 
the sense that =l is 'almost equal' to =. More precisely, we show that logical equivalence 
coincides with =e, the relation obtained by extending structural congruence with the eta 
law (Definition 13. 6p . We establish the following chain of (dis)equalities, on MAj F : 

= £ =E = =L = ^int £ « . 

We then move to the study of a variant of MAj F in which communication is synchronous, 
and show that logical equivalence coincides with = on this calculus. We end this section 
with a detailed discussion of the treatment of name restricition. 

5.1. Extensionality and intensionality. We use the characterisation of =i as ~ int to 
compare logical equivalence with barbed congruence («) and structural equivalence (=). 
We start by studying the difference between =l and ~. 

5.1.1. N on- extensionality. 

Theorem 5.1. Relation =l is strictly included in ~. 

Proof. The inclusion follows from =i C ~ int and ~ int C m (the second inclusion is essentially 
a consequence of the congruence of ~ int ). 

The strictness of the inclusion is proved by the following laws, that are valid for ~ but 
not for ~int: 

(1) in n. in n = in n | in n 

(2) (x) (y) = (x) | (y) 

(3) (x) {x} = 0. □ 

The third axiom is typical for behavioural equivalences in calculi where communication 
is asynchronous. The first equality can be derived from a more general law, called the 
distribution law in [22]: M. (P \ M.P \ ... \ M. P) = M.P j M.P \ ... \ M.P (where M 
appears the same number of times on both sides of the equality). A similar law is valid for 
the input prefix, from which the second equality above is derived as an instance. Probably 
the above are not the only laws that make =l finer than ~, but a complete axiomatization 
of w over =l is out of the scope of this paper. 

5.1.2. Intensionality. We now provide a precise account of the difference between =i and 
=, in the setting of the subcalculus MAj F , defined as below. We recall that a process is 
finite if it does not use the replication operator. 

Definition 5.2 (MA| F ). The subcalculus MAj F is defined by the grammar: 

P ::= | P | P | LP | n[P] \ cap.P | {n} \ (x)P 

where Pq is a finite process. 

In MAj F , we impose finiteness after any form of interaction; in contrast, processes 
exhibiting an 'infinite spatial structure', such as !a[6[0]] are allowed. 

Lemma 5.3. All processes of MAf F are image-finite. 
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Proof. MAjp is included in MAff since the finiteness condition on Po m Definition 15.21 

implies that {P 1 : P p '}/~ int and i p ' ■ p o{ n /x} =^ p '}/~ int respectively axe 

finite sets. Any process in MA| F is thus in MAff, and is hence image- finite in the sense of 



MAj F strictly contains the finite calculus we considered for the completeness proof in 
Section [3.4. 21 Therefore, Theorem 13.331 does not apply, but Corollary 14.201 which holds for 
the whole calculus, does. As MAip, MAj F is image-finite, in the sense of Definition 13.261 
While in the former subcalculus this property is guaranteed at a semantical level, in MA| F it 
follows from a syntactic restriction (we forbid replication in process Po - see Definition I5.2j) . 

We will see in Section [6] that MAj F is Turing complete. 

We let normalised structural congruence, written =e, be the relation defined by the 
rules of = plus the eta law (see Definition 13. 6p . 

Lemma 5.4. e e C«, 

Proof. It is enough to prove that given P, Q such that P — > V Q, we have P ~ int Q. We 
reason by induction on P, following Lemma [4.81 In that lemma, the situations corresponding 
to the operators of parallel composition, ambients and capability prefixes are easy because 
of commutation properties of — > rj . In the cases of and of messages, there is no redex for 



So we only have to examine the clause for the input condition in ~ ; nt . Let n be a fresh 



The converse of this lemma is the difficult part of the characterisation of =l in MAj F . 
This is proved by showing that two intensionally bisimilar finite processes have essentially 
the same number of prefixes and messages. Using the separative power given by the logic, 
this entails that ~C=^ on MA| F . It has to be stressed that we rely here on the syntactical 
finiteness condition defining MAf F , and that our approach does not apply to, e.g., MAff. 

We write messages(P) for the number of messages in R, and pref (R) for the number 
of capabilities and abstractions in R. 

Lemma 5.5. Let P,Q be two finite processes. Suppose P — ► P 1 . Then 



Lemma 5.6. Let P, Q be two finite processes. Suppose that P ~ Q, and that both P and 
Q are eta-normalised. Then messages(P) = messages(<5). 

Proof. Suppose messages(P) > messages(<5). We prove that we derive a contradiction. 

We proceed by a case analysis on the shape of P (i.e., the number of its operators) 

• P = P\ | Pi- Then, by definition of ~, it must be Q = Qi \ Q2 with Pj ~ Qi. Now, 

for some i, we should have messages(Pj) 7^ messages(Qj), which is impossible, by the 

induction on the shape. 



Definition EES 



□ 




(1) messages(P) > messages(P'); 

(2) pref(P) > pref(P'). 

Proof. By induction on the derivation of P — >P'. 



□ 
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• P = cap. P' . Then, by definition of ~, it must be Q = cap. Q' and Q' Q" ~ P' . It 
will then be, by Lemma l5.5f 1). messages(P) = messages(P') > messages(Q"), which is 
impossible, by the induction on the shape. 

• P = (x) P'. Then, by definition of ~, it must be Q = (x) Q'\ moreover, for n fresh, there 
must be Q" such that {n} \ (x) Q' => Q" ~ P'{ n /x}. 

If the reduction {n} | (x) Q' ==>- Q" contains at least one step, then we would have 
messages(P'{ n /a;}) = messages(P) > messages^') > messages(Q") and therefore, by 
induction on the shape, we could not have Q" ~ P'{ n /x}. 

Therefore, suppose Q" = {n} \ (x) Q' . Then Q" ~ P'{n/x} implies P'{n/x} = {n} | 
(x) P" , for some (x) P" with n fresh for P and Q. Hence, since n was chosen fresh, 
the original process P must have been of the form (x) ({x} \ (x) P"). This means that, 
modulo =, P was not eta- normalised, thus contradicting an hypothesis of the lemma. 

• If P = {n} then by definition of ~ we should have Q = {n}, which is impossible, since 
the hypothesis is messages(P) > messages(Q). □ 

Lemma 5.7. Let P, Q be two finite processes. Suppose P ~ Q, and that both P and Q are 
eta-normalised. Then pref (P) = pref(Q). 

Proof. Suppose pref (P) > pref (Q). We prove that we derive a contradiction. We proceed 
by induction on the shape of P. 

• If P = then Q = 0. 

• P = P\ | Pi- Then, by definition of ~, it must be Q = Q\ \ Q2 with Pi ~ Qi. Now, for 
some i, we should have pref (Pj) 7^ pref (Qi), which is impossible, by the induction on 
the shape. 

• P = cap.P'. Then, by definition of ~, it must be Q = cap.Q' and Q' Q" ~ P'. 
Then 

pref (P') = pref (P) - 1 > pref (Q) - 1 = pref (Q 1 ) > pref (Q") 

Hence pref (P') > pref (Q"), which is impossible by the induction on the shape. 

• P = (x) P'. Then, by definition of ~, it must be Q = (x) Q'; moreover, given n fresh, 
there must be Q" such that {n} \ (x) Q' =^ Q" ~ P'{ n /x}. 

Moreover, by the previous lemma we know that messages(P) = messages(Q), and we 
should also have messages(P'{ n /a;}) = messages(Q") 

The reduction {n} \ (x) Q' ==^ Q" must contain at least one step, for otherwise we 
could not have messages(P / { 7 yx}) = messages^")- For the same reason, during these 
reductions only the message {n} may have been consumed (no other messages). Thus 
{n} I (x) Q' Q" can be written as 

{n}\(x) Q' — > Q'{ n /x} => Q" , 

where pref (Q') = pref (Q'{n/x}) and also > pref (Q") (Lemma EH2)). 

Therefore we have pref {P'{n/ X }) = pref(P) - 1 > pref(Q) - 1 = pref(Q') > 
pref {Q"). By the induction on the shape, this is in contradiction with Q" ~ P'{ n /x}. □ 

Lemma 5.8. Let P,Q be two finite processes. Suppose P ~ Q, with both P and Q eta- 
normalised. If P A P', then there is Q' such that Q A Q' ~ P' . Similarly, if P — > P' , 
then there is Q' such that Q — > Q' ~ P' . 

Proof. Prom Lemmas 15.71 and 15.61 if Q performed more than one action, then it would 
consume one more prefix or message than P. □ 
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Theorem 5.9. Let P,Q be processes of MAf F . Suppose P ~ Q, with both P and Q eta- 
normalised. Then P = Q. 

Proof. By induction on the shape of P. 

• If P = then also Q = 0. 

• Suppose P = P\ | P2. Then, by definition of ~, Q = Q\ \ Q2 with Pi ~ Qi. By induction, 
Pi = Qi- Hence also P = Q. 

• Suppose P = IP'. Then, by Lemma l4~8l there are r and some (Qi)i<i< r such that 

Q = \Qi I (!)Q 2 I ••• I (OQr, 
and P' ~ for all i. By induction, P' = Qi for all i, so finally Q = !Qi = P. 

• P = cap. P'. By definition of ~, Q = cap. Q' and there is Q" such that Q' Q" ~ P'. 
By construction of MAj F , P',Q' are finite, so that we may apply Lemma 15.81 Then it 
must be Q' = Q" , and therefore by induction Q' = P' . We conclude that P = Q. 

• P = {n},n[P']: straightforward. 

• P = (x) P'. By definition of ~, we have Q = (x) Q' , and again by construction of MAf F , 
P', Q' are finite. Since ~ is a congruence, given n, {n} \ P ~ {n} | (x) Q'. We have 
{n} I P — ► P'{ n /r}, hence by Lemma EEi {n} \ (x) Q' — ► Q'{ n /x} ~ P'{n/x}. By 
induction, P'{ n /x} = Q'{ n /x}; since this holds for any n, P' = Q' . □ 

Corollary 5.10. Let P, Q be processes of MAf F . Then P= L Q iff P =e Q- 

Proof. First, =l C ~ int by Theorem 13.331 and ~i nt C =e by Theorem 15.91 Conversely, 
=E C ~ int by Lemma 15.41 and ~ int C = L by Theorem 13.291 □ 



5.2. Synchronous communications. We now consider a variant of Mobile Ambients 
where communication is synchronous. For this the production {rf\ for messages in the 
grammar of MA in Table l2~7il is replaced by the production {77}. P. Communication is thus 
synchronous: in {rf\. P, the process P is blocked until the message {77} has been consumed. 
Reduction rule Red-Corn becomes: 

Red-Com 



{n}.Q\ (x)P — >Q \ P{n/x] 

In the remainder of this subsection, terms belonging to the synchronous version of the 
calculus will be referred to simply as 'processes'. Since our goal here is to study how the 
result given by Corollary 15.101 changes when moving to a synchronous calculus, we focus 
directly on MAjp , the set of all terms of the synchronous calculus in which processes guarded 
by prefixes are finite (along the lines of Definition 15.21 that introduces MA| F ). We shall see 
that in MAjp 3 , the eta law fails and the equivalence relation induced by the logic is precisely 
structural congruence. 

In order to show this, we have to port the results about (asynchronous) MA to the syn- 
chronous case. The co-inductive characterisation in terms of ~j n t (that is, Theorems 13.291 
and 13.33]) remains true, provided that in the definition of intensional bisimulation the com- 
munication clauses are replaced by the following: 

• If P h P', then there is Q' such that Q =^> Q' and P'TLQ'. 

• If P h P' then there is Q' such that Q =^ Q' and P'TZQ'. 

Accordingly, we have to change the definition of syntactical intensional bisimulation by 
adapting the following clauses for communicating processes: 
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• If P = (x) P' then there is Q' such that Q = (x) Q' and for all n there is Q" such that 
Q'{n/ X } =^ Q" and P'{n/x}KQ". 

• If P = {n}. P' then there is Q' such that Q = {n}. Q' and Q' =^> Q"TZP'. 

As shown in [21j . formulas similar to those that are needed in the asynchronous case 
can be derived for the synchronous calculus. In particular, we have: 

Lemma 5.11 ([21]). 

• For all A, there is a formula ((?n)}. {| A |} such that for all P , P\=((?n)). {| A |} iff there 
is P' such that P = (x) P' and P' {n/ x }^\=A. 

• For all A, there is a formula ((In)}. {| A |} such that for all P , P\=((\n)). {| A |} iff there 
is P' such that P = {n}. P' and P'=>\=A. 

Using this result, the soundness and completeness proofs for ~; nt with respect to =l 
follow exactly the same scheme as in the asynchronous case (see Sections [3] and E|), except 
that we do not need to reason on eta-normalised terms. 

Theorem 5.12 (Soundness and completeness of — i n t)- Given two processes P and Q of 
synchronous Mobile Ambients, P ~ int Q iff P=lQ- 

We now derive the counterpart of the properties we have established above for MAj F 
about the number of messages and prefixes in a term. 

Lemma 5.13. Suppose P — ► P' , where P is a finite process. Then 

(1) messages(P) > messages(P'); 

(2) pref(P) > pref(P'). 

Proof. By induction on the derivation of P — >P'. □ 

Lemma 5.14. Let P, Q be two finite processes and suppose P ~ Q. Then messages(P) = 
messages(<5). 

Proof. Suppose messages(P) > messages((5). We prove that we derive a contradiction. 
We proceed by a case analysis on the shape of P (ie, the number of its operators) 

• P = P\ | Pi- Then, by definition of ~, it must be Q = Qi \ Q% with Pj ~ Q{. Now, 
for some i, we should have messages(Pj) ^ messages(<5i), which is impossible, by the 
induction on the shape. 

• P = cap. P'. Then, by definition of ~, it must be Q = cap. Q' and Q' ^$ Q" ~ P. It 
will then be, by Lemma l5.5r i). messages(P) = messages(P') > messages(Q"), which is 
impossible, by the induction on the shape. 

• P = { n }. P'. Then Q = {n}. Q' and P' ~ Q' . But messages(P') > messages(Q / )> which 
by induction is impossible. 

• P = (x) P. Then Q = (x) Q' and for all h fresh, Q'{ h /x} Q" and P'{h/ X } ~ Q" and 
messages(P") > messages(Q"), so we can conclude by induction. □ 

Lemma 5.15. Let P,Q be two finite processes, and suppose P ~ Q. Then pref(P) = 
pref(Q). 

Proof. Suppose pref (P) > pref (Q). We prove that we derive a contradiction. We proceed 
by induction on the shape of P. 

• If P = then Q = 0. 
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• P = P\ | Pi- Then, by definition of ~, it must be Q = Qi \ Q2 with Pi ~ Qi. Now, for 
some i, it should be pref (Pi) 7^ pref (Qi), which is impossible, by the induction on the 
shape. 

• P = cap.P'. Then, by definition of ~, it must be Q = cap.Q' and Q' Q" ~ P' . 
Then 

pref (P 1 ) = pref (P) - 1 > pref (Q) - 1 = pref (Q 1 ) > pref (Q") 
Hence pref (P 1 ) > pref (Q"), which is impossible by the induction on the shape. 

• P = {n}. P'. Similar to capability case. 

• P=(x) P'. Then Q = (x) Q' and there is Q" such that Q'{ h /x} Q" and P'{h/ X } » 
Q" . There is no consumption of messages, hence pref (P'{h/ X }) > pref(Q"), and we can 
conclude using induction. □ 

Lemma 5.16. Let P,Q be two finite processes, and suppose P ~ Q. If P A P' , then 
there is Q' such that Q A Q' ~ P' . Similarly, if P — ► P' , then there is Q' such that 
Q^Q'~ P'. 

Proof. Prom the two previous lemmas: if Q performed more than one action, then it would 
consume one more prefix or message than P. □ 

Theorem 5.17. Let P, Q be two processes in M^ljp, and suppose P ~ Q. Then P = Q. 

Proof. By induction on the shape of P (almost exactly as in Theorem 15. 9p . □ 

Corollary 5.18. Let P, Q be processes of MA S ^. Then P= L Q iffP = Q. 



5.3. Name restriction. In this section, we consider the variant of MA, noted here MA^, 
that includes name restriction (vn) P. We discuss, among previous results, which ones 
remain valid, and which ones have to be amended. 

Adding name restriction involves several modifications in the definition of the calculus 
and of the logic. Name n is bound in (vn) P, and the definition of fn(P) is modified 
accordingly. Regarding structural congruence, we add alpha conversion for as well as the 
following laws: 

(vn) = (vn)(vm) P = (vm)(un) P (vn) (P \ Q) = P \ (vn) Q if n fn(P) 
(vn) m[P] = m[(vn) P] cap. (vn) P = (vn) cap. P if n fn(cap) 

The last rule is not always present in the definition of structural congruence. It is not an 
essential rule, but including it makes our some technical details simpler. 

In the logic, additional connectives are introduced, as in [12], to handle restriction and 
the associated notion of freshness of names: formulas can also be of the form n®A, A0n, 
or l/ln. A- Accordingly, the enriched notion of satisfaction, written \= u , is given by: 

- P^n®A iff P = (vn) P' and P'K A for some P'; 

- P\= u A(dn if (vn)P\= v A; 

- p^ u |/ln. A if there is n' £ (fn(P) U fn(^)) such that P\= v A{ n '/n}. 

To illustrate this new setting, we consider the two following formulas: 

free(n) = f -.n®T public = f l/ln. -.(n® free(n)) . 
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A process P satisfying free(n) cannot reveal n, which means that n necessarily occurs free 
in P. In turn, if P satisfies public, then it cannot reveal a name n so as to exhibit free 
occurrences of n, which means that P is structurally congruent to some P' £ MA. 

Formula public hence provides a way of selecting processes belonging to MA among 
the processes in MA^. We can indeed adapt any formula A we have used in the paper 
into a formula A' such that whenever P\= u A f , then P = P' for some P' in MA such that 
P'\=A; in particular, formulas of the form A\ D> A2 are translated into formulas of the form 
(01 A public) t> B 2 . 

In presence of name restriction, we can adapt rather easily several important results of 
the paper as follows (for each item, we indicate the part of the paper we refer to): 

• a new 'intensionaF rule must be added to the definition of ~j n t (Def. 13.2ft : if P = (yn) P' , 
then there is Q' such that Q = (un) Q' and P' ~j nt Q'\ 

• with this definition, it is possible to establish a soundness result (~ ; n tC Theo- 
rem I3.29p . and completeness for finite processes (processes without replication, Theo- 
rem [3]33]); 

• characteristic formulas are derivable for processes of the form (yn{) . . . (wn,k) P, where P 
is a 'public' process in MAif (Lemma I3.27[) : we rely on name revelation to get rid of 
the topmost restrictions, and then translate the characteristic formula for P using the 
approach sketched above; 

• logical equivalence coincides with structural congruence enriched with eta conversion for 
processes of the form (vn\) . . . {vn^) P, with P a public process in MAj F (Corollary 15. 10p . 

The difficult point, that we leave for future work, is to analyse processes that can gen- 
erate unboundedly many names, i.e., in which restriction occurs under replication. Char- 
acteristic formulas seem much more difficult to obtain for such processes. We do not know 
at present how to derive completeness in absence of an image finiteness hypothesis (in 
particular, we do not see how a counterpart of Lemma 14 . 1 3 1 can be obtained). 

6. (UN) DECIDABILITY OF LOGICAL EQUIVALENCE 

In this section we define the encoding of a Turing Machine in MAf F . The purpose of 
this encoding is to establish that logical equivalence in undecidable on MArp. 

The definition of the encoding requires the introduction of some constructions that will 
be given as (MAf F ) contexts. To ease the reading of our definitions, we shall sometimes 
work with parametrised contexts, which are context definitions that depend on some val- 
ues (names, words, or movements of the head of the Turing Machine). Additionally, some 
parametrised definitions shall be written foo(p);P: here, foo is the name of the defini- 
tion, whereas p and P are parameters (P being a process); the notation emphasizes the 
sequentiality between the process being introduced and P. 

Remark 6.1. The results in this section improve and extend a preliminary version pre- 
sented in [20]. By the time the writing of this paper was completed, Busi and Zavattaro [3] 
have studied encodings of another universal machine, namely the Random Access Machine, 
into a subset of MA. Their encodings are syntactically more coincise than the one below 
of a Turing Machine. However, Busi and Zavattaro make use of combinations of operators 
that are not licit in MAj F (i.e., their encodings are not encodings into MAj F ). Also, while 
longer, the encoding of Turing Machines makes use of components which accomplish simple 
tasks and which interact with each other in simple manners. Correspondingly, each step 
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of the proof, which follows the reductions of the encoding of a Turing Machine, is rather 
straightforward. For these reasons we maintain the schema of the original encoding in |20j . 



6.1. Ribbons. Digits and words. We associate to booleans true and false two names tt 
and ff. We call these names digits, and range over digits with d, d! . A word will be the 
result of a (possibly empty) concatenation of digits. The empty word shall be written e. 
We range over words with w, w' , w±, W2- Given a word w consisting in r digits (with r > 1), 
we shall sometimes write w 1 . . . w r to refer to the digits of w. This should not be confused 
with notation ff n , that we will sometimes use to represent the word consisting in n times 
digit ff (this should be clear from the context). 

We start with the definition of the support of the Turing Machine: ribbons can be in 
differents states (frozen, growing, work ribbon, old), and are defined as follows: 

Cells and Words 

cell(d){\\} := cell[d[0] | !open wo | {| |} ] 

word(u>){| II : = cell^HI cell(™ 2 ){| . . . cell(w; r ){| |} . . . |} |} (w 



1 9 
WW 



w 



Ribbon Extensor 
deadextcode := 



sendstart 
ExtensorFrozen 
ExtensorAlive 
ExtensorDead 



!open coin, open newcell.'m cell. coin[0] 
| lnewcell[cell(ff){\ out ext |}] 

msg[out ext. lout cell | out ribbon Je ft. start[\n TM) 
ext [deadextcode | open coin. sendstart ] 
ext[coin[0] | deadextcode | open coin, sendstart ] 
ext\ deadextcode 1 



Ribbons 

cleaninst 
deadcleancode 
FrozenRibb(u>) 
GrowingRibb(w;) 
WorkRibb(wi,u;2){| |} 

OldRibb 



open cleaner, open runclean \ runclean[ deadcleancode 
!open ff | !open tt | !open cell | !open wo 



word(w;){| ExtensorFrozen |} 
word(u;){j ExtensorAlive |}] 



ribbonJeft[ cleaninst 
ribbonJeft[ cleaninst 
ribbon_left[ cleaninst 
| word(wi){| {| |} | word(w;2){| ExtensorDead |} |} 
ribbon Jeft[ deadcleancode | ExtensorDead] 



All names used in the definitions above are supposed to be pairwise distinct. In par- 
ticular, TM is the name we shall use for the ambient containing the Turing Machine (see 
Definition 16. 5p . The ribbon is represented as a nesting of ambients named cell, each of 
which contains an empty ambient named d, where d is the digit value of the cell: this cor- 
responds to the definitions of cell(d) and word - the !open wo subterm is there to trigger 
the computation of the head of the machine as soon as the head 'points to' (i.e., enters) the 
current cell (see Section I6.2p . 

Ribbon extension is used to generate a sufficiently long nesting of cell ambients for the 
machine to run. A frozen ribbon consists of a word w, containing at the end of the ribbon 
a frozen ribbon extensor (definition of FrozenRibb - the cleaninst part will be useful 
later on). The extensor is triggered by the presence of an ambient named coin (definitions 
ExtensorFrozen and ExtensorAlive): when this happens, the loop programmed in the 
definition of deadextcode can start, which can have the effect of adding new cells, whose 
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value is S. Each time the extensor loops (state ExtensorAlive), the coin ambient can 
be erased by process open coin, sendstart, which has the effect of stopping the extension 
process, and sending an ambient msg out of the ribbon to instruct the machine to start 
computation. When this happens, the extensor is in ExtensorDead state. 

A ribbon in GrowingRibb state keeps extending until the extensor dies, at which point 
it becomes a WorkRibb (WorkRibb has two parameters, w\ and 102, in order to reason about 
the cell where the head of the machine currently is). Along this evolution, the cleaninst 
code is always present. When the machine successfully terminates computation (we will 
describe below how this happens), it generates an ambient named cleaner, which triggers 
the cleaning of the machine: all ambients cell, tt, S , wo, that intuitively constitute the "data 
structures" of the machine, are removed. At this point, we obtain an OldRibb. 

Some of the explanations we have just given are formalised by the following result, 
which will be used to establish undecidability of =l- 

Lemma 6.2 (Ribbon evolution). 

For any word w and n G N, we write P n = GrowingRibb(w. (ff) n ), where (ff) n stands 
for the word written as n times the name S. We have: 

• Pn Pn+li 

• P n R with 

R = WorkRibb(e, w. (if) n ){| msg[ lout cell | out ribbon Jeft. start[ in TM ] ] \}; 

• for any term Q along the reduction paths from P n to P n +\ and from P n to R, there exists 
Q! such that Q = ribbon Jeft[Q']. 

Moreover, for any word w, we have: 

WorkRibb(?i>, e){| |} | cleaner[\n ribbonJeft] =>• OldRibb. 

Proof. At any step, the extensor can only choose between creating a new S cell or dying 
and sending up through the ribbon an ambient msg. Note that when extending the ribbon 
with a new S cell, there are at some point two concurrent actions in cell and out ext: these 
are in causal dependency, since the in cell can only happen once the out ext has taken place, 
which ensures sequentiality of the execution. □ 

6.2. Turing Machine. 

Definition 6.3 ((Ideal) Turing Machine). We introduce three symbols <— , J, and — > for the 
movements of the head of a Turing Machine. 

We represent a Turing Machine as a quadruplet (Q, q s tart, QA, 5) where Q is a set of 
states, q s tart is the initial state, qa is the accepting state, and 5 : Q x {ff, tt} — ► Q x 
{if, tt} x {<— , I, — >} is the evolution function. 

Notation: we shall write 

(w 1 ,q,w 2 ) »-» (w[,q',w' 2 ) 

to denote the fact that the Turing Machine in state q with the head on the cell of the last 
letter of w\ (which will be referred to as "the head dividing the ribbon into words W\ and 
u>2 ") evolves in one step of computation into the machine in state q', dividing the ribbon 
into words w[ and w' 2 - 

The remainder of this subsection is devoted to establishing the following claim: 
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Turing Machine Transitions 


cxeaxi a j , r 


. — WU\ (JUL flcilll. Opcil (1. CljLLCri 1 1 11 !Lc.(l(l \ OpcM CL_tLCri. 1 


wri tp(r/V P 


■ — inn\ out hpnf] n\Vi\ inv nch\ in hpnn nnpn 7/jt* cipIc P 


beconiG^TTio) 5 


■= ?7?,n[oijt h.pn.d, onpn h.pod P\ in 777,0 




| 111 Cell. P if =< — 


domove^TTif); .P 


:= < P if mi? = 1 




1 out cell. P if mu =— > 


tcode(d r , g^, d w ,mv) 


:= clear(d r ); write(d w ); 




become(mo); in TM. domove(mf); open 


State 




ff — >P + tt — >Q 


:= com[ in if. out if. P] coin[ in tt. out tt. Q] open coin 


code(q) 


:= \q[head[ out TM. ( if — >tcode(ff , dff , qg , rnvg) 




+ tt — ►tcode(tt,d tt ,g tt ,mw tt )) ]] 




\coin[ in if. out S . tcode(if, e^j-, g^-, rnvg) ] 




\coin[ in tt. out tt. tcode(tt, g^, mv^t) ] 


code(q A ) 


:= !<?a[ get_cmt[0] ] 


Turing Machine Behavior after Recognition 


get out := 




!open get_out. out cell. get-out[0] 


!open get-out. out r? 


bbonJeft. ( cZeaner[ out TM. in ribbonJeft] 




comfout TM. in ribbonJeft. in ceZ/ length ^\ in ext] 




open start, in ribbonJeft. in ce/Lopen ^tart ) 



Figure 1: Encoding Turing Machines in MAfj 



Claim 6.4. Any Turing Machine computation may be encoded in MAf F . 

To encode Turing Machines, we must describe how we simulate in MAj F the transitions 
of the machine, and how some extra manipulations are performed after recognition of a 
word (these are necessary to deduce the undecidability result proved below). 

The encoding is given by the definitions collected in Figure [TJ The overall shape of the 
encoding can be described as follows: 

Definition 6.5 (Turing Machine in Mobile Ambients). The encoding of a Turing Machine 
is based on an ambient named TM, containing a persistent process named tmsoup: 

tmsoup := code(<7o) | ••• | code(g n ) | getout | !open mo. 

We define two configurations for the encoding of a Turing Machine. Before being active, 
the machine is in starting state, defined by: 

TMStart := TM [ open start, in ribbonJeft. in cell, open q s tart | tmsoup ]. 

Once the computation has started, the Turing Machine in state q is represented by the term 

TM(<?) := TM[ open q | tmsoup ] . 
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Lemma 6.6 (MA| F encoding). All terms used in the encoding of a Turing Machine belong 
to MA\ ¥ . 

Our Turing Machine encoding is somehow reminiscent of the one presented in [13] . We 
should however remark that we work here in a language without name restriction, and with 
a simpler encoding of choice (operator + above, to test the value of a cell). 

According to the explanations given in Section [6.11 the machine reacts to the presence 
of an ambient named start to enter the first cell of the ribbon and start computation 
(definition TMStart). 

The behaviour of the running machine is described by the definition of code(q): the 
head of the machine enters the current cell, and tests its value by concurrently trying to 
enter ambients named ff and tt. According to the ambient being present, the appropriate 
machine transition is triggered (definition of tcode — dg, qg,mvff stand for the new value, 
new state, and movement of the head determined by the current state if the value read is 
if, and similarly for tt). The last two lines in the definition of code (processes starting with 
\coin . . . ) are there for garbage collection purposes: they "absorb" the branch of the choice 
that has not been triggered. 

Performing a transition involves erasing the current value of the cell, installing the new 
value, getting back inside the Turing Machine (the current working ambient had to get out 
of it to read the value of the cell) , and triggering the movement of the machine (definition 
of tcode). The corresponding definitions on top of Figure [U should be self-explanatory, the 
become(mo) part being necessary to synchronise with the !open mo inside ambient TM . 
Finally, open q w starts the execution of the code corresponding to q w , the new state of the 
machine — according to Definition 16.51 the code of all possible states of the machine is 
present in replicated form in TM. 

The code of the accepting state qA is peculiar: when the machine reaches this state, it 
triggers process getout, which makes it exit the ribbon and start the cleaning process. As 
explained above, the presence of an ambient named cleaner in ambient ribbonJeft triggers 
process cleaninst of Section \6. 11 The process on the last line of Figure [1] is there to install 
the machine in the exact initial state once the word has been recognized and cleaning has 
been performed. This is necessary to obtain a loop in the proof of Lemma 16.131 below. 

We can remark that the encoding is parametric over a word w, whose length (denoted 
length(w)) is used in the definition of getout (in that definition, in ceZ/ length ^^ stands for 
the concatenation of length (w) copies of the capability in cell). This aspect of our encoding 
is however irrelevant since it is influent only after the end of the execution of the machine, 
and not during the central part of the simulation. 

We now formulate the evolution of the terms we have defined in order to simulate 
Turing Machines. We first introduce a useful relation. 

Definition 6.7 (deterministic evolution relation). We say that a process P deterministically 
evolves to Q, written P ~> Q, if and only if P — >Q and for any Q' s.t. P — >Q', either 
Q' -f-^ or Q = Q'. 

Notation: We shall write P -*~> k Q to say that P deterministically reduces to Q in k steps 
(k > 1). We write P Q when P Q for some k. 

Using ~>, we can state some elementary facts about the macros involved in the execution 
of the machine. The relation P Q captures the fact that P cannot avoid reducing to Q 
except for some immediately blocking states. Such blocking states may only appear due to 
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the firing of the "wrong branch" in a choice encoding (ff — ► • • • + tt — > . . .). (Incidentally, 
we may remark that a purely deterministic encoding of the Turing Machine could probably 
be definable, but at the cost of more complex definitions and proofs.) 

Lemma 6.8 (state evolution). For any terms P,Q, names d,a" G {S, tt} and word w, we 
set M = d[0] !open wo | word(u;){j ExtensorDead j}. We then have the following 
deterministic transition sequences: 

(1) head[d — >P + ^d — >Q] \ d[0] | !open wo \ cell[M] | TM[tmsoup] 

^-> 3 head[P \ coin[ in -id. out -id. Q]] \ d[0] | !open wo j cell[M] | TM[ tmsoup]; 

(2) head[ clear (d);P \ coin[\n d'.Q]] \ d[0] || !open wo | cell[M] | TM[ tmsoup] 

-^■ 5 head[P \ coin['\n d'.Q]] | !open wo \ cell[M] | TM[ tmsoup]; 

(3) head[ write(d); P \ coin[ in d'. Q ] ] \ !open wo | cell[M] \ TAfftmsoup] 

head[P \ coin[ in d'. Q ] ] | d[0] \ !open wo \ cell[M] \ TM[ tmsoup]; 

(4) head[be come (mo) ; P \ coin[\n d'.Q]] \ d[0] \ !open wo \ cell[M] \ TM[tmsoup] 

^ 3 mo[P | coin[ in d'.Q]] \ d[0] \ !open wo | cell[M] \ TM[ tmsoup]. 

Moreover, the same results hold with a frozen (instead of dead) extensor in M, the only 
condition being that ambient ext contains an inactive term. 

Proof. By inspection of the possible reductions of the processes being considered. Prom 
the second statement on, the ambient coin[ in d'.Q] is frozen: it actually represents the 
non-chosen branch in the encoding of the choice operator, that will be erased later, when 
the head of the Turing Machine comes back inside ambient TM (see below). □ 

We can now merge the results above into a property regarding transitions of the Turing 
Machine. 

Lemma 6.9 (One step of Turing Machine simulation). 

Let M be a Turing Machine, q one of its non accepting states, and w\,W2 two words, 
with W2 7^ e. Suppose (w±, q, W2) y ++>(w[, q' , w' 2 ). Then 

WorkRibb(wi, w 2 ){\ TM(g) |} WorkRibb^, w 2 )Q TM(</) |} . 

Proof. We divide the evolution of the term representing the Turing Machine into the fol- 
lowing steps: 

(1) From state q, the TM can trigger the q code by performing the corresponding open 
operation, which has the effect of releasing an ambient named head. Moreover, this is 
the only place where some reduction is possible, because first, Extensor is inactive and 
second, in every ambient named cell, no reduction occurs. Therefore, 

WorkRibb(wi, w 2 ){| TM(g) |} 

WorkRibb(wi,u;2){| TMNostate | head[S — > h tt — ►...] |} 

where the notation TMNostate stands for the following configuration of the Turing 
Machine ambient: 

TM[ code(go) | • • • | code(q n ) \ tmsoup ] 

Note that this ambient cannot perform any reduction as long as it is not visited by a 
mo or getout ambient. 
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(2) Using the previous fact, and considering that reductions can only take place at cell 
level, we have 

WorkRibb(u;i,W2)U TMNostate | head[S — ► h tt — >■■■]{} 

WorkRibb(w} . . . w[~ 1 d, io 2 ){] TMNostate 

| mo[ in TM. domove(mu). open q' \ coin[ in -no^.P]] |} 

where S(q,w'[) = (q',d,mv) (i.e., the machine evolves from q to q' when reading w^). 

(3) The ambient mo comes back into the Turing Machine and is opened by the tmsoup 
component. Then the head movement (if any) is performed, which activates an open q' 
process, so that the Turing Machine gets into TM(g') state. 

WorkRibb^ . . . w^d, w 2 ){| TMNostate 

| mo[in TM. domove(mv). open q' | com[in ^w\.P}] |} 
^2(+i) WorkRibb^,^)^ TM(g') |} . 

Note that opening ambient mo triggers the absorbtion of the non-selected branch of 
the choice (ambient coin) by a \coin[. . .] (from the code for the original state of the 
machine) . 

The 2(+l) above comes from the fact that the head of the machine can also make no 
movement in its transition from a state to another (case j). □ 

We obtain as a corollary of the Lemma above: 

Proposition 6.10 (Turing Machine simulation). Given a Turing Machine A4, for any word 
w and n £ N, the Turing Machine J\4 recognises the word w on the ribbon w. fP 1 iff there 
exist two words w\ and u>2 s.t. 

WorkRibb(e,w.rf l ){| m(q start ) |} ^+ WorkRibb(u>i, TM(g A ) ft , 

where the terms above are given by the encoding of M. 

Let us finally describe what happens after the machine has reached the accepting state. 

Lemma 6.11 (Acceptation). Let 101,102 be two words. Then 

WorkRibb(wi,w 2 )-{] ™(qa) |} 

OldRibb I TMStart | coin[ in ribbon deft, in cell iength( - w \ in ext] 

where w is the word used in the encoding of the machine. 
Proof. We distinguish four steps: 

(1) When the qA ambient has been opened, the ambient get-out is liberated and is present 
within TM: 

WorkRibb(w;i,i{; 2 ){| m(q A ) |} => WorkRibb(it;i, iu 2 ){| TMGetout |} 
where TMGetout is the term 

TM[get_out[0] \ code(go) | ••• | code(g n ) | tmsoup] . 

(2) This allows the TM ambient to get a get_out 'token', execute the branch containing the 
out cell, and, doing this, liberate a new get-out ambient: 

WorkRibb(toi,W2){| TMGetout [} =^ WorkRibb(w;{ . . . w^" 1 , w\. TMGetout |} 

Note that the other subterm starting with open getjout could also have been triggered, 
leading to a blocked state. This is no harm for us, since we want to establish the 
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existence of an execution where the machine exits the ribbon. This way, TM progresses 
outwards until it is directly inside ribbonJeft. 

(3) Then TM gets out of ribbonJeft, choosing the other branch of open get-out, which 
leads to the following state: 

WorkRibb(e,wi.iu 2 ){| |} | TM[ cleaner[out TM. in ribbonJeft] 

| coin[ out TM. in ribbonJeft. in cell ieneth ( w \ in ext] 
| code((7o) | • • • | code(qv t ) | tmsoup] 

(4) At this point, the ambient named TM may liberate an ambient cleaner that enters 
ribbonJeft and starts the cleaning process. TM may also liberate the ambient coin so 
that we exactly obtain the expected term. □ 

Remarks 6.12. 

• As we already mentioned above, our encoding of the Turing Machine is at this point 
dependent from the word w that we want it to recognize. 

• reason here using ==>■ transitions instead of deterministic reduction indeed, we are 
considering states where the machine has already recognized the word, and we only need 
to prove that there exists some way back to its (exact) initial state. This will be enough 
for the proof of undecidability in Section 16.31 

6.3. Undecidability of Logical Equivalence. We can now exploit the encoding we have 
studied to establish undecidability of =l- 

Lemma 6.13 (Loop lemma). Given a Turing Machine A4 and a word w, define the fol- 
lowing terms, given from the encoding of A4 : 

Q := !FrozenRibb(u;) | !01dRibb | !open rasg | lout cell j TMStart , 
Pq '■= Q I GrowingRibb(w) and P\ := Q | GrowingRibb^. ff) . 

Then Pq ==> P\. Conversely, P\ Pq if and only if the word w may be recognized on 
a finite (but sufficiently long) ribbon of the shape w.ff^ , for some N E N, by the Turing 
Machine M. 

Proof. The transition Pq Pi follows from Lemma 16.21 

Let us then first assume that w can be recognized on a ribbon of the form w.S N , 
that is, w followed by an arbitrary number of S digits. Then from Lemma 16.21 we can 
obtain the corresponding extension of the ribbon from state Pi, i.e. exhibit a transition 
Pi^-Q WorkRibb^.ff^ejfl |} | start [ in TM]. At this point, the ambient start 
can enter TM and allow it to get into the work ribbon. Then, using the simulation result 
(Proposition 16.10]) . we know that the Turing Machine reaches the acceptation state (this re- 
sult is obtained by induction over the length of w). At this point, according to Lemma [6.111 
the work ribbon is transformed into an old ribbon (collected by the corresponding replicated 
term in Q), the Turing Machine comes out of the ribbon, and waits for a start signal. The 
liberated coin ambient may progress inside a frozen ribbon (containing word w by definition 
of Q above) until it reaches the frozen extensor and wakes it up. We then exactly obtain 
Pq- 

Now let us assume that w cannot be recognized on any ribbon. As Q is blocked (in 
particular, TMStart is waiting for an ambient start to enter TM), the first reducts of Pi 
are of the form Q \ ribbonJeft[R], where GrowingRibb(w. if) => ribbon Jeft[R]. If a 



SEPARABILITY IN THE AMBIENT LOGIC * 



il 



reduction chain from P\ to Po can be found, then by Lemma 16.21 there exists an integer n 
such that 

P 1 Q | WorkRibb(w.fr n ){| |} | start[mTM] =^> P . 



In term T the WorkRibb is blocked, so the only evolution can come from the machine 
entering a ribbon. We distinguish three cases according to the kind of ribbon which is 
entered by the machine: 

(1) If it gets into an old ribbon, there can be no more reduction, as the TM is stuck on an 
in cell action. 

(2) If it gets into the work ribbon, according to Proposition 16.101 there is a unique way 
to evolve, through simulation of the machine. At this point, the machine may have an 
infinite computation on the finite ribbon, never reaching accepting state: this means 
that it will not get out of the ribbon, which prevents the system to evolve into Po. 
Alternatively, the machine may try to use more ribbon than what has been created 
before evolution from GrowingRibb into WorkRibb, and the machine is stuck. So in any 
case, state Po cannot be reached. 

(3) We reason similarly in the case where the machine enters a frozen ribbon. 

Finally, we have that state Po is unreachable if word w cannot be recognised by the machine 
on a ribbon of the form w. ff N for some N, which concludes the proof. □ 

Theorem 6.14 (Undecidability of =£)• =l is an undecidable relation on MA. 

Proof. Let us first note that the decidability of =l over MAjp is a consequence of its 
inductive characterisation ~i n d (Definition 14. 9ft together with the image finitess hypothesis 
of MAip. 

Consider processes Po and Pi from Lemma 16.131 We show that the problem of de- 
ciding whether one can prove open n. Po =l open n. P\ is equivalent to deciding whether 
Pq=^>P\=^>P§. This will be enough, by Lemma 16.131 to obtain the undecidability of =l- 

Let us prove now the undecidability of =l on MA. Consider processes Po and Pi of 
Lemma 16.131 These processes are in MA| F . Using Corollary 14.201 the definition of ~ ; nt , 
and Theorem 15.91 we have: 

open re. Pq =l open n. Pi iff open re. Po ~mt open re. Pi 

iff P Q ~ int Py ==> ~ int P Q 

(from Theorem 15.91 ==>• ~; n t is ==>■ on MAj F ). 

The first equivalence follows from soundness and completeness (Theorems 13.291 and 
I4.19|) . The second is the definition of —int- Since on MA| F ~ int ==, the last condition is 
simply the loop condition, and undecidability follows from Lemma 16.131 □ 

7. Conclusions and future work 

In this paper we have presented a number of characterisations of logical equivalence, 
including a coinductive characterisation by means of intensional bisimilarity, — i n t, and an 
inductive characterisation based on inversion results for —int- These characterisation results 
are established on the MA calculus in which terms need not be image-finite, and with respect 
to a finitary logic. We are not aware of other results of this kind. (Characterisation results 
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for a bisimilarity with respect to a modal logic in the literature rely either on an image- 
finiteness hypothesis for the terms of the language, or on the presence of some infinitary 
constructs in the syntax of the logic.) 

We have compared logical equivalence with barbed congruence, showing that the latter 
is strictly coarser, and with structural congruence, showing that the two relations are "al- 
most the same" in the (Turing-complete) calculus MAj F (the two relations coincide on the 
synchronous version of MA| F , whereas an additional eta-law has to be added to structural 
congruence in the asynchronous calculus). A spin-off of this study is a general better under- 
standing of behavioural equivalences in Ambient-like calculi. For instance, we have shown 
that behavioural equivalences can be insensitive to stuttering phenomena originated by pro- 
cesses that may repeatedly enter and exit an ambient. Finally, we have proved that logical 
equivalence, although decidable on MA| F , it is not decidable on the whole MA calculus. 

We discuss below a few possible extensions of our work. On the logic side, other logical 
connectives could be added without changing our results, as long as formulas expressing 
capabilities and replication can still be derived. We believe this holds in particular for the 
'somewhere' modality [TT], and for fresh quantification |17j . 

In our work, we have interpreted the 'sometimes' modality (0^4) in a weak sense, which 
makes intensional bisimilarity a weak form of bisimilarity. We believe that under a strong 
interpretation of the modality the result corresponding to Theorem 15.91 can be derived in a 
much simpler way, especially because stuttering does not show up. 

On the calculus side, a first variation could be the introduction of a general recursion 
scheme instead of replication. This would make it possible to express recursion 'in depth', 
and not only 'in width', as with replication. Our proofs do not obviously carry over to this 
setting, mainly due to the fact that the sequential degree of a process may then be infinite, 
and we would lack a measure to reason by induction. 

Another interesting extension is the addition of name restriction (vn)P to the calcu- 
lus. Including restriction naturally implies to add its logical counterpart, name revelation 
(n®A, see [12]) to the logic. Our results can be extended to this setting on the finite calcu- 
lus, and on infinite processes with only finitely many restricted names, but we do not know 
how to extend them to richer calculi. For instance, the proof of completeness cannot be 
directly adapted to the extension with name restriction in the general case. The possibility 
of generating infinitely many fresh names breaks Lemma 14.121 intuitively because infinitely 
many frozen subterms can appear as outcomes of a given term. For the same reason, we 
think that our approach to obtain completeness in absence of an image-finiteness hypoth- 
esis cannot be adapted to the 7r-calculus, where infinitely many names can be generated. 
However, our results for the MAj F fragment, in particular Theorem 15.91 (=t. = =), still hold 
in presence of name restriction. 

In the paper we have considered only communications of basic names. Certain pre- 
sentation of the MA calculus also include operators for communication of capabilities. We 
believe that such communications could be added with mild modifications to the proofs. 
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